I am developing an application with Mongodb, with roles. I have a collection called users (with username, password, role, active and _id) and another collection that have each roles (student, teacher and admin) that have it’s reference fields or subdocument.
I did it so, because the relation itself is with other collections (exams, tutors, bugs and so on) is not with the user entity, but also the subtype (student, teacher and admin).
The _id field for the user and the subtype collection is the same. I created a transaction in Mongodb to create a user and the document according to the role that is in the User collection (in collection Students or Teachers or Admins) with the same id which is in the Users collection.
Also, the _id in subtype collection’s is a reference field to the User Collection (is primary key and reference field). I am not sure if this is Ok, i have serious doubts.
Ok. The idea, in the part of Express and Mongo, is that when we access a protected record of the application, we pass a Token with the user ID (in headers). In this way, we can access user and validate if it exists, his role and is the owner of the entity we want to modify (ex: one student shouldn’t modify profile data of other users).
Problems with this:
If we want to restrict access to the document in a REST service, we would have to take into account if the IDIt is user, subtype or other entity that relates to the subtype.
It becomes strange if we make the populate of the user’s data through the Subtype ID field (it would appear as an ID instead of for example, task and it is not apparently configurable).
From the URL it is difficult to see the collection we are accessing, since it is not always so obvious.
To sum up, i am confused building an application that uses roles, and the collections depending on an “abstract user”, because the subtypes have different set of fields, and how me should manage in a real application.
As Front i am using Angular 2+. Could you give me a hand? Thank you,