0
0
Expressframework~20 mins

Resource ownership checks in Express - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Challenge - 5 Problems
🎖️
Resource Ownership Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What is the output when a user tries to delete a resource they do not own?

Consider this Express route that deletes a post only if the logged-in user owns it.

app.delete('/posts/:id', (req, res) => {
  const post = posts.find(p => p.id === req.params.id);
  if (!post) return res.status(404).send('Post not found');
  if (post.ownerId !== req.user.id) return res.status(403).send('Forbidden');
  posts = posts.filter(p => p.id !== req.params.id);
  res.send('Deleted');
});

If req.user.id is 'user2' and the post owner is 'user1', what will the response be?

Express
app.delete('/posts/:id', (req, res) => {
  const post = posts.find(p => p.id === req.params.id);
  if (!post) return res.status(404).send('Post not found');
  if (post.ownerId !== req.user.id) return res.status(403).send('Forbidden');
  posts = posts.filter(p => p.id !== req.params.id);
  res.send('Deleted');
});
AStatus 200 with message 'Deleted'
BStatus 404 with message 'Post not found'
CStatus 403 with message 'Forbidden'
DStatus 500 with server error
Attempts:
2 left
💡 Hint

Check the ownership condition before deleting.

📝 Syntax
intermediate
2:00remaining
Which option correctly checks resource ownership in Express middleware?

Choose the correct middleware snippet that verifies if the logged-in user owns the resource before proceeding.

A
function checkOwner(req, res, next) {
  if (req.resource.owner !== req.user.id) {
    return res.status(403).send('Forbidden');
  }
  next();
}
B
function checkOwner(req, res, next) {
  if (req.resource.owner = req.user.id) {
    next();
  } else {
    res.status(403).send('Forbidden');
  }
}
C
function checkOwner(req, res, next) {
  if (req.resource.owner !== req.user) {
    return res.status(403).send('Forbidden');
  }
  next();
}
D
function checkOwner(req, res, next) {
  if (req.resource.owner !== req.user.id) {
    next();
  } else {
    res.status(403).send('Forbidden');
  }
}
Attempts:
2 left
💡 Hint

Remember to use strict comparison and call next() only if ownership matches.

🔧 Debug
advanced
2:00remaining
Why does this ownership check always allow deletion?

Examine this Express route:

app.delete('/items/:id', (req, res) => {
  const item = items.find(i => i.id === req.params.id);
  if (!item) return res.status(404).send('Not found');
  if (item.ownerId = req.user.id) {
    items = items.filter(i => i.id !== req.params.id);
    return res.send('Deleted');
  }
  res.status(403).send('Forbidden');
});

Why does this code allow any user to delete any item?

Express
app.delete('/items/:id', (req, res) => {
  const item = items.find(i => i.id === req.params.id);
  if (!item) return res.status(404).send('Not found');
  if (item.ownerId = req.user.id) {
    items = items.filter(i => i.id !== req.params.id);
    return res.send('Deleted');
  }
  res.status(403).send('Forbidden');
});
ABecause '=' is used instead of '===' causing assignment instead of comparison
BBecause items.filter does not remove the item correctly
CBecause req.user.id is undefined causing the check to fail
DBecause the route does not call next() middleware
Attempts:
2 left
💡 Hint

Look carefully at the if condition syntax.

state_output
advanced
2:00remaining
What is the state of the posts array after this ownership check and deletion?

Given this initial posts array:

let posts = [
  { id: '1', ownerId: 'user1' },
  { id: '2', ownerId: 'user2' },
  { id: '3', ownerId: 'user1' }
];

And this Express route:

app.delete('/posts/:id', (req, res) => {
  const post = posts.find(p => p.id === req.params.id);
  if (!post) return res.status(404).send('Not found');
  if (post.ownerId !== req.user.id) return res.status(403).send('Forbidden');
  posts = posts.filter(p => p.id !== req.params.id);
  res.send('Deleted');
});

If req.user.id is 'user1' and the request is to delete post with id '2', what will be the posts array after the request?

Express
let posts = [
  { id: '1', ownerId: 'user1' },
  { id: '2', ownerId: 'user2' },
  { id: '3', ownerId: 'user1' }
];

app.delete('/posts/:id', (req, res) => {
  const post = posts.find(p => p.id === req.params.id);
  if (!post) return res.status(404).send('Not found');
  if (post.ownerId !== req.user.id) return res.status(403).send('Forbidden');
  posts = posts.filter(p => p.id !== req.params.id);
  res.send('Deleted');
});
A[]
B[{ id: '1', ownerId: 'user1' }, { id: '3', ownerId: 'user1' }]
C[{ id: '2', ownerId: 'user2' }]
D[{ id: '1', ownerId: 'user1' }, { id: '2', ownerId: 'user2' }, { id: '3', ownerId: 'user1' }]
Attempts:
2 left
💡 Hint

Check if the ownership condition allows deletion.

🧠 Conceptual
expert
2:00remaining
Which is the best practice to ensure resource ownership in an Express app?

Choose the best approach to enforce resource ownership checks across multiple routes in an Express application.

AAdd ownership checks inside each route handler manually
BUse a dedicated middleware that loads the resource and verifies ownership before route handlers
CTrust the client to send only owned resource IDs and skip server checks
DCheck ownership only after performing the resource modification
Attempts:
2 left
💡 Hint

Think about code reuse and security.