Quiz Entry - updated: 2026.06.20
What is authorization and how is it implemented?
Authorization confirms the already-logged-in user has permission to access this specific resource.
After authentication, you must still check:
- Does this user own this resource?
- Does this user have the required role/permission?
// Example: Check if user owns the task
const task = await tasks.findOne({ _id: taskId });
if (task.user !== req.session.user) {
return res.status(403).json({ error: 'Forbidden' });
}
Simple approach: Store owner username with each resource and compare against req.session.user.