http - Sending a PATCH request to a object that the user does not own -
i'm developing app has frontend , backend component. use jwt tokens authorize network requests. during development, realize patch route 1 of model objects can patch object account. i can change data @ url "<some-host>/orders/149" if current user doesn't own data. this feels insecure, , i'm not fluent backend stack. guy responsible backend junior (fresh out of bootcamp). i'm wondering if can validation based on jwt token check if user eligible change data. any other advice appreciated!