角度授权

I have built an application which has user authentication and authorization. So if user is authenticated it will be redirected to a route where user can post the form data. Here while posting the data let's say name & hobbies a userID is generated by backend.

以下是回应

{
 posts:[
 name: "manoj"
 hobbies: "Reading books"
 creator: "4543300vdvdvE33"
 ]
}

Now I'm handling my posts view route which is iterated using *ngFor= 'let post of posts' . Here i'm using *ngIf= userIsAuthenticated && userId= post.created to show the posts only if theuser is authenticated and if he is the creator of the post.

Is there any better way to handle this situation directly through login, like Only A posts should be visible to A or this should be directly handled in the backend to get the respective posts after login?

评论
  • bquos
    bquos 回复

    出于安全原因,您绝对应该只查询用户的帖子并返回其帖子。如果您不首先对其进行过滤,则不仅会冒大量返回数据而使API过载的风险,而且还会向用户公开其他用户的帖子,以防用户精通技术并检查您的通过客户端调试工具的API响应。