Hello @Thong_Dang,
Great that it works but it’s pretty weird that the user (request.user) is undefined. You are probably missing the ensureAuthenticated middleware on this route which is also weird.
Example of globally mounted ensureAuthenticatedmiddleware
const {
ensureAuthenticated,
PUBLIC_ROUTES,
} = require('forest-express-mongoose');
...
app.use('/forest', (request, response, next) => {
if (PUBLIC_ROUTES.includes(request.url)) {
return next();
}
return ensureAuthenticated(request, response, next);
});
So you probably don’t have set the permissionMiddlewareCreator.smartAction() neither which is not great. 
https://docs.forestadmin.com/documentation/reference-guide/actions/create-and-manage-smart-actions
Kind regards,
Morgan