Rules Hub
Coding Rules Library
Rule priority, scope & exceptions
Use this to align rules with the senior-level structure (P0/P1/P2, scope, exceptions/tradeoffs).
Enforce authorization for protected actions
Require explicit authn/authz checks before reading or mutating protected data.
Bad example
| 1 | export async function updateUser(req: Request, res: Response) { |
| 2 | const user = await db.user.update({ |
| 3 | where: { id: req.params.id }, |
| 4 | data: req.body, |
| 5 | }); |
| 6 |
|
| 7 | return res.json(user); |
| 8 | } |
Explanation (EN)
Without an explicit guard, any caller can update any user record.
Objašnjenje (HR)
Bez eksplicitne autorizacije, svaki pozivatelj moze azurirati bilo koji zapis korisnika.
Good example
| 1 | export async function updateUser(req: Request, res: Response) { |
| 2 | if (!req.user) return res.status(401).send("Unauthorized"); |
| 3 |
|
| 4 | const isOwner = req.user.id === req.params.id; |
| 5 | const isAdmin = req.user.roles?.includes("admin"); |
| 6 | if (!isOwner && !isAdmin) { |
| 7 | return res.status(403).send("Forbidden"); |
| 8 | } |
| 9 |
|
| 10 | const user = await db.user.update({ |
| 11 | where: { id: req.params.id }, |
| 12 | data: req.body, |
| 13 | }); |
| 14 |
|
| 15 | return res.json(user); |
| 16 | } |
Explanation (EN)
Explicit authorization checks make access control clear, auditable, and safe.
Objašnjenje (HR)
Eksplicitne provjere autorizacije cine kontrolu pristupa jasnom, auditabilnom i sigurnom.
Exceptions / Tradeoffs (EN)
Public, read-only endpoints can skip auth checks, but must be explicitly documented as public.
Iznimke / Tradeoffi (HR)
Javni read-only endpointi mogu preskociti auth provjere, ali moraju biti eksplicitno oznaceni kao javni.