Authentication And Security

How to enforce that a user who owns content is the only one who can edit/delete that content

In this guide, we'll walk through how to set up user permissions for a photo sharing app using Xano's no-code platform. We'll ensure that only authenticated users can view photos, and that users can only edit or delete the photos they've uploaded themselves.

Step 1: Set Up Authentication

First, we need to make sure that only authenticated users can access the photo data. In Xano, this is done by enabling user authentication on the API endpoint that retrieves all photos.

  1. Navigate to the "Get Photos" API endpoint in your Xano project.
  2. Click on the "Authentication" tab.
  3. Enable the "Require Authentication" option.

Now, only users who are signed in and have a valid authentication token will be able to access this endpoint and view the photos.

Step 2: Allow Authenticated Users to View Photos

With authentication enabled, all authenticated users will be able to view the photos. If you want to make the photos publicly accessible without authentication, you can disable the "Require Authentication" option.

Step 3: Enforce Ownership for Editing Photos

To ensure that users can only edit photos they've uploaded themselves, we need to add a precondition to the "Edit Photo" API endpoint.

  1. Navigate to the "Edit Photo" API endpoint.
  2. Click on the "Function" tab.
  3. In the function code, you'll see a line that retrieves the photo record based on the provided photo ID: const photoOwner = await xano.data.fetchByID('photos', photoID);
  4. Add a precondition that checks if the authenticated user's ID matches the user ID of the photo owner:
const precondition = photoOwner.userID === xano.auth.userID;
if (!precondition) {
 throw new xano.Exception("You can only edit your own photos.");
}

With this precondition in place, users will only be able to edit photos where their user ID matches the user ID associated with the photo record.

Step 4: Enforce Ownership for Deleting Photos

The process for enforcing ownership when deleting photos is similar to editing. Follow these steps:

  1. Navigate to the "Delete Photo" API endpoint.
  2. Click on the "Function" tab.
  3. In the function code, you'll see a line that retrieves the photo record based on the provided photo ID: const photoOwner = await xano.data.fetchByID('photos', photoID);
  4. Add a precondition that checks if the authenticated user's ID matches the user ID of the photo owner:
const precondition = photoOwner.userID === xano.auth.userID;
if (!precondition) {
 throw new xano.Exception("You can only delete your own photos.");
}

Now, users will only be able to delete photos where their user ID matches the user ID associated with the photo record.

By following these steps, you've successfully set up user permissions for your photo sharing app using Xano. Only authenticated users can view photos, and users can only edit or delete the photos they've uploaded themselves.

Recommended videos

View all videos

Pairing Xano and n8n with the official Xano node!
Integration

Pairing Xano and n8n with the official Xano node!

Full-Stack AI Travel App: Xano + Cursor + Lovable
Artificial Intelligence

Full-Stack AI Travel App: Xano + Cursor + Lovable

Meta’s Rule of Two: The Simple Fix for Prompt Injection
Artificial Intelligence

Meta’s Rule of Two: The Simple Fix for Prompt Injection

Sign up for Xano

Join 100,000+ people already building with Xano.

Start today and scale to millions.

Start building for free