Angular authorization

Question

I have built an application which has user authentication and authorization. So if user is authenticated it will be redirected to a route where user can post the form data . Here while posting the data let's say name & hobbies a userID is generated by backend.

Below is the response

{
 posts:[
 name: "manoj"
 hobbies: "Reading books"
 creator: "4543300vdvdvE33"
 ]
}

Now I'm handling my posts view route which is iterated using *ngFor= 'let post of posts' . Here i'm using *ngIf= userIsAuthenticated && userId= post.created to show the posts only if theuser is authenticated and if he is the creator of the post.

Is there any better way to handle this situation directly through login, like Only A posts should be visible to A or this should be directly handled in the backend to get the respective posts after login?

Answer 1

For security reasons, you should definitely only query posts by the user and return his posts. If you don't filter it first, not only do you run the risk of overloading your API with an outrageous amount of return data, but also you expose the posts of other users to the client in case the user is tech savvy and checking your API response via client debug tools.

Answer 2

yes he is right, you need an api in the backend that it takes a userId parameter and it will get you all posts related to that userId. then in the intended page you should call it.