Trying to simplify access to private posts with Express

Question

Trying to simplify access to private posts with Express

I'm learning Node.js with MongoDB and Express and it is going quite well.

I have my user registration working fine and every user can create posts.

Now I'm trying something more complicated, I'd like user to create private posts and only user who created it and other allowed users can see the post.

I did something and it seems to work but I think it can be done in some better way.

What I have now to get the post at this address www.mywebsite.com/post-title is this:

Post
  .findOne({ permalink: req.params.permalink })
  .exec(function(err, post) {
    if (!post) {
      req.flash('errors', { msg: 'Post not found' });
      return res.redirect('/');
    } else {
      if (post._creator == req.user.id) {
        res.render('post/home', {
          title: post.name,
          post: post
        });
      } else {
        req.flash('errors', { msg: 'You are not allowed to see this post' });
        res.redirect('/');
      }
    }
  });

It works fine but if I wish to add few more options to this post and create another link like: www.mywebsite.com/post-title/tags to get that page I have to repeat the whole code posted above...

I wish to find a way to match easily the owner of the post or allowed people and a way to get the post through the permalink without useing fineOne for every get...

Is this possible? Does it make sense?

Thanks

node.js
mongodb
express
mongodb-query
node-mongodb-native

Answer 1

I might have helped you to "simplify" your question and just explain what you wanted to do. But those who take the time to read all of it would eventually see that you basically want to

" List all posts including private and allowed posts for the current user.. "

Which is basically the simplified version of the question.

So all you basically need are some fields on your "Post" document that allow the access control:

{
    "title": "this is the title",
    "permalink": "some/sort/of/slug",
    "body": "post body here",
    "creator": "Bill",
    "_private": true,
    "_allowed": ["Ted","Fred"]
}

So basically you are not going to care about the "_allowed" list where "private" is false, but you do want to care where this is true. So you want this logic in the query rather than evaluating it per document retrieved:

Post.find(
    {
        "$or": [
            { "_private": false },
            {
              "_private": true,
              "$or": [
                  { "creator": req.user.id },
                  { "_allowed": req.user.id }
               ]
            }
         }
    },
    function(err,docs) {

So essentially your logic is based of a nested $or operation which either allows the public posts to display or otherwise where the post is private then only the "creator" $or the "_allowed" users will receive this in any query.

The logic applies to whether you are retrieving a list of posts for paging results or whether recalling an individual post for a single in depth display.