What is Resource ownership checks in Express?

Expressframework~5 mins

Resource ownership checks in Express

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Introduction

Resource ownership checks make sure only the right person can change or see their own data. This keeps things safe and private.

When a user tries to edit their own profile information.

When a user wants to delete a post they created.

When showing private data that belongs only to the logged-in user.

When preventing users from accessing or changing other users' resources.

When building APIs that require secure access control.

Syntax

Express

app.put('/resource/:id', (req, res, next) => {
  const resource = getResourceById(req.params.id);
  if (!resource) {
    return res.status(404).send('Resource not found');
  }
  if (resource.ownerId !== req.user.id) {
    return res.status(403).send('Forbidden');
  }
  // proceed with update
});

Check if the resource's owner ID matches the logged-in user's ID.

Send a 403 Forbidden response if the user does not own the resource.

Examples

This example checks ownership before deleting a post.

Express

app.delete('/posts/:postId', (req, res) => {
  const post = findPost(req.params.postId);
  if (!post) {
    return res.status(404).json({ error: 'Post not found' });
  }
  if (post.ownerId !== req.user.id) {
    return res.status(403).json({ error: 'Not allowed' });
  }
  deletePost(req.params.postId);
  res.json({ message: 'Post deleted' });
});

Here, the profile shown is always for the logged-in user, so ownership is implicit.

Express

app.get('/profile', (req, res) => {
  const userProfile = getUserProfile(req.user.id);
  res.json(userProfile);
});

Ownership check before allowing comment update.

Express

app.put('/comments/:id', (req, res) => {
  const comment = getCommentById(req.params.id);
  if (!comment) {
    return res.status(404).send('Comment not found');
  }
  if (comment.ownerId !== req.user.id) {
    return res.status(403).send('Forbidden');
  }
  updateComment(req.params.id, req.body);
  res.send('Comment updated');
});

Sample Program

This Express app simulates a user logged in as 'user1'. It allows updating posts only if the logged-in user owns the post. If the user tries to update a post they don't own, the server responds with 403 Forbidden.

Express

import express from 'express';
const app = express();
app.use(express.json());

// Fake data store
const posts = [
  { id: '1', ownerId: 'user1', content: 'Hello world' },
  { id: '2', ownerId: 'user2', content: 'Hi there' }
];

// Fake authentication middleware
app.use((req, res, next) => {
  req.user = { id: 'user1' }; // Simulate logged-in user
  next();
});

// Route to update a post
app.put('/posts/:id', (req, res) => {
  const post = posts.find(p => p.id === req.params.id);
  if (!post) {
    return res.status(404).send('Post not found');
  }
  if (post.ownerId !== req.user.id) {
    return res.status(403).send('Forbidden: You do not own this post');
  }
  post.content = req.body.content || post.content;
  res.json(post);
});

// Start server
app.listen(3000, () => {
  console.log('Server running on http://localhost:3000');
});

OutputSuccess

Important Notes

Always verify ownership before allowing changes to sensitive data.

Use middleware to get the logged-in user info securely.

Return clear HTTP status codes like 403 for forbidden access.

Summary

Resource ownership checks protect user data by allowing only owners to modify or view their resources.

Check ownership by comparing resource owner ID with logged-in user ID.

Respond with 403 Forbidden if ownership does not match.