Version: 2.2.0 (latest)
Todos & Ownership
Currently the API returns everyone's todos to each user. This is not the expected behavior. We would like that each user has access to only his or her tasks.
Go back to the ApiController
and update the getTodos
route.
The
Context
object contains four properties:
- the express request object,
- an empty object called
state
which can be used to share data between hooks,- a
session
object,- and the
user
object that is defined if a user logged in.
Refresh the todo-list page. You should only see the todos of the user with whom you logged in.
Yet, if you try to create a new to-do, it will disappear upon page refresh. This is perfectly normal since we do not specify its owner upon creation.
As for the delete feature, you also need to restrict its access. Users should only be able to delete their todos.
Update the api controller.
The application is now working properly.