How to protect a specific linked relationship field for modification but allow for creation

Hi team,

I would like to have any advice on a specific use case.

Let’s take a classical example:

db.users.hasMany(db.addresses, { foreignKey: 'user_id' });
db.addresses.belongsTo(db.users, { as: 'user', foreignKey: 'user_id' });

I want to authorize my forestadmin users to do the following actions
** create an address for a user*
** update any address of a user*

But I want to:
** forbid any change to the user attached to an address once it is created*

The problem I already encountered is the following one:
Sometimes, by error, a forestadmin user is modifying the user linked to an address entry, and so, the previous record do not have any more address.

How would you recommend to enforce this security?
I cannot set the read only attribute on the field user of address, because of the need to initialize it when creating a record.
Any idea?


Hello @Louis-Marie & sorry for the late reply,

I tried to reproduce the problem you encountered but it was unsuccessful. The update of a record (A) on the parent table keeps well the records depending on (A). Can you tell me which version of forest-express-sequelize you use and your project name. And if it’s possible the code on the users and addresses models ? :slight_smile:

Hi @lclisson

There is no issue. This is a request for an advice.
I think there is a misunderstanding on my question.

Let’s take an example with two records:

A first user record: M. Dupont Henri
has an address: 55, rue des Martyres 75001 Paris

A second user : M. Tartempion Albert
has an address: 23, rue de la Mer 62500 Calais

When updating the address of M. Dupont, a Forestadmin user is able to change the user field to attach it to M. Tartempion.
=> because the user field of address collection can be changed.
It will make M. Tartempion have two addresses, and M. Dupont will not have any more address.

I would like to remove that possibility, and I don’t know how to do it.
I cannot make the user field of address in Read only, because it needs to be initialized when creating an address.

Do you understand now?

Here is my current setup:

    "database_type": "postgres",
    "liana": "forest-express-sequelize",
    "liana_version": "6.6.3",
    "engine": "nodejs",
    "engine_version": "12.13.1",
    "orm_version": "5.22.3"

Indeed I didn’t quite understand the question. :sweat_smile:

You can find all the documentation concerning the logic of your routes here.

I was able to setup a project and find you a workaround. Can you add the following piece of code to your app.js file and tell me if the desired behavior is the right one?

At the top of your file:

const { PermissionMiddlewareCreator, RecordGetter } = require('forest-express-sequelize');
const { addresses } = require('./models');
const permissionMiddlewareCreator = new PermissionMiddlewareCreator('addresses');

And next you can override the right route:

app.put('/forest/addresses/:recordId/relationships/user_id', permissionMiddlewareCreator.update(), async (request, response, next) => {
  try {
    const recordGetter = new RecordGetter(addresses);
    const myRecord = await recordGetter.get(request.params.recordId);
    if (myRecord.user_id) {
      throw new Error();
  } catch (error) {
    response.status(500).send({ error: "Already linked to a record" })

Let me know if it helps :slight_smile: