Content type restricted only to User who created it

I’m making a blogging platform system that has 3 models:

• User has many Posts (one-to-many)
• User has many Goals (one-to-many)
• Posts has and belongs to many Goals (many-to-many, because I can write many different posts about 1 goal, and 1 post can be categorized under a few goals)

The concept is that a User have many Goals set out to be achieved, and can categorize the Posts he writes under various Goals. But only the User can use his own Goals to categorize his Posts. I did a POST request to the Posts endpoint, but found that User2 can use User1's Goals, even though the authorization header is using User2's token.

Why is that? Did I do something wrong to the model relations? Is it due to the many-to-many relation between Posts and Goals?

That happens because you got the Posts with Goals, in that case Goals doesn’t care if they are related to User or not(since they do not include any informations about user, as you use One-to-many, only Users contain information about Goals, and not vice-vera). You should write some complex custom controllers/queries and verify if Users are in the relation with current goals list before getting the data/or before updating the data.

So when you are getting the posts + goals, you should check if user has relation with these returned goals, if not, then exclude it.

Nice, thanks for the tips Sunny!

Do you think there’s a way where I can simply change the models for User--Goals or Posts--Goals to get the effect I want?

Another possible solution I’m thinking is if I can just ensure that the user can only select from a drop-down list of his own Goals using a GET request to his Goals to populate the choices, rather than a open input field - what do you think?

Hey Sunny, I wonder if this tutorial (which you just shared in another forum post) is the answer to my questions?

To restrict content editing of Goals to Authors only. What do you think?