Implement authorization for routes
The following Restrictions have to be implemented:
Account:
| action | needed rights |
|---|---|
| update | only for the user itself |
| delete | only for the user itself |
Bonustoken:
| action | needed rights |
|---|---|
| create | only for room owner and moderator |
| delete | only for room owner, moderator |
| deleteByRoom | only for room owner and moderator |
| deleteByCommentIdAndAccountId | only for room owner and moderator |
Comment:
| action | needed rights |
|---|---|
| patch | only for room owner, moderator and comment creator (can´t edit moderation flags) |
| update | only for room owner, moderator and comment creator (can´t edit moderation flags) |
| delete by Id | only for room owner, moderator and comment creator |
| delete by RoomId | only for room owner and moderator |
Room:
| action | needed rights |
|---|---|
| update | only for room owner |
| delete | only for room owner |
| updateModerator | only for room owner |
| deleteModerator | only for room owner |
RoomAccess:
| action | needed rights |
|---|---|
| create | only for room owner and moderator |
RoomHistory:
Doesn´t need special authorization for the creation because the related accountId is set in the backend and not provided by the Client
Vote:
| action | needed rights |
|---|---|
| create | only for yourself |
| delete | only the user itself |
| resetVote | only the user itself |
Edited by Tim Dahmen