I want to check if a specific user has permissions which other users dont have.
Assuming I have a list of IDs of the users that have this specific permission, is it save to just compare the req.user.id to the IDs in the list and if there is a match, grant them permission? Can someone send a request and just fill in an ID of someone else?
I am using discord oauth2 with passport, passport-discord and express-session for authentication.
from Is req.user guaranteed to be a valid, authenticated user? [passport.js]
No comments:
Post a Comment