I have a fairly simple use case but can't figure out how to stitch it together.
Basically I want to use user-restricted access for regular users, i.e. they can upload files via an API and other users cannot touch those files via the API.
At the same time I want a special user (admin/super-user) to be able to use the API to GET e.g. all files for a specific user.
Does anybody have any pointers to examples of this or can help point me in the right direction to do this?
One idea I thought of was to pass an additional (optional) parameter to check_auth containing the _id of the user that the admin wants to look at, so if the admin passes in that parameter it will override the admins own _id. Would this work or does check_auth have a set parameter list? any security issues with this approach?
Or is there a better approach - a separate API instance perhaps that uses the same mongoDB collections (is that even possible?).
Regards, Anton
