In that case it’s much simpler, you just need to implement some policies, forgive the old example, but this is one I constructed a few months back that more or less focuses on a similar request from another user. You are welcome to take a look and pull whatever you can from it:
And to apply the policies is as simple as defining them via the routes:
In this case the policy was designed to be multi-purpose but you could just as easily create multiple policies for very specific purposes, note that policy logic is basically executed as a scoped Koa middleware, it’s executed before the controller as long as the code sits before the await next() anything after the await next() will be executed after the controller (basically the request chain working in reverse to return the information to the user).
A very rough tree of the request chain would be something like:
- User makes request
- Request middlewares are called
- Users-Permissions plugin validates the request (Also sets the
ctx.state.user) - Koa matches the route via regex
- Execute any policies
- Execute the handler (controller => service => query)
- Begin reverse back up through all the steps (bypassing Users-Permissions since nothing is ran there)
Hopefully that helps, please do let me know if you figure out a useful solution as I would be interested in taking a look at your code, and don’t hesitate to ask for more information if you need. 