Add server side authorization to all existing API routes #53
Description
While the client will only display an option to perform certain actions if a user is authorized to do so, for security purposes, it is still vital to ensure that a use is authorized to mutate any data.
Our middleware will ensure that the api is only callable by signed in users, and there is almost no information that a user should be prevented from viewing. Therefore, we mostly need to protect POST, PATCH, and DELETE routes.
From a high level,
- admins should be able to do anything
- project members and leads should be able to edit information about the projects they are added to
- all users should be able to edit their own personal information, except for modifying their roles
It may be useful to make some helper functions to accomplish all of this.