Assuming you would like to protect the API endpoint PUT /api/books/:id so that it returns 403 Forbidden if the book doesn’t belong to the user.
The process to implement this would be:
- Wrap the
updatecore controller. See the example forfindhere. - As part of your wrapper, first retrieve the book, e.g using the entityService (see example here). Then check for the createdBy id of the book. If it doesn’t match the id of the user making the request (e.g found in
ctx.state.user.id), simply return a Forbidden response (e.g usingctx.forbidden).
Another option would be implementing the above in a middleware instead of by wrapping the controller.