What's wrong with this logic? Node JS

Question

I built a mini cms app with Node JS. I allow users to edit their own profile and admins to edit all profiles. I have a weird problem with the logic - If I use this syntax, I get an error (401) when an admin tries to edit other user's profile:

if (!loggedUser.isAdmin || foundUser.id !== loggedUser.id) {
  res.status(401).json();
} else {
  // Save Updated User
  foundUser.username = req.body.username;
  foundUser.birthday = req.body.birthday;
  foundUser.personalWeb = req.body.personalWeb;
  foundUser.location = req.body.location;
  foundUser.save().then(() => res.status(200).json(200));
}

But if I use this syntax, the permissions work just fine:

if (loggedUser.isAdmin || foundUser.id === loggedUser.id) {
  // Save Updated User
  foundUser.username = req.body.username;
  foundUser.profileImg = req.body.profileImg;
  foundUser.personalWeb = req.body.personalWeb;
  foundUser.location = req.body.location;
  foundUser.save().then(() => res.status(200).json(200));
} else {
  res.status(401).json();
}

Can someone please explain what's the differnce between the two conditions?

Answer 1

!loggedUser.isAdmin || foundUser.id !== loggedUser.id !loggedUser.isAdmin || foundUser.id !== loggedUser.id and loggedUser.isAdmin || foundUser.id === loggedUser.id loggedUser.isAdmin || foundUser.id === loggedUser.id are not boolean inverses of each other.

The first is saying "if the user is not an admin or the found user's id does not match the logged in user's id." In the case of an admin you would expect their id to not match the found user's id.

I think that your second code block is easier to read and you should keep it, but if you wanted to do the negative condition first it would be:

!loggedUser.isAdmin && foundUser.id !== loggedUser.id

That is: "if the logged in user is not an admin and the found user's id does not match the logged in user's id."

This is also the boolean inverse:

!(loggedUser.isAdmin || foundUser.id === loggedUser.id)
// expands to
!loggedUser.isAdmin && foundUser.id !== loggedUser.id

It was surprisingly difficult for me to find good documentation or descriptions of boolean negation, but this article explains the concepts well I think: http://www.math.toronto.edu/preparing-for-calculus/3_logic/we_3_negation.html

Although you can simplify boolean expressions, I think it's best to write them in a way that makes the most sense to read back for you and your development team, so I suggest you use the first block since it's easy to read. Failing that, leave a comment about what the expression is trying to accomplish.

Answer 2

It's because your foundUser.id !== loggedUser.id is evaluating to true when editing any user that's not you.

To add to that, any non admin user will get a 401 due to the first condition evaluating to true .

With || as long as one condition is met, the body will execute and then it's done. It won't move on to the else body if only one condition is false . Both need to be false

Personally I would just use your second example. It's more readable.