Permission-based authorization

By the time a request leaves our authenticate() middleware, there are now two possible states for the request context. Either:

• The request context contains a User struct (representing a valid, authenticated, user).
• Or the request context contains an AnonymousUser struct.

In this section of the book, we’re going to take this to the next natural stage and look at how to perform different authorization checks to restrict access to our API endpoints. Specifically, you’ll learn how to:

• Add checks so that only activated users are able to access the various /v1/movies** endpoints.

• Implement a permission-based authorization pattern, which provides fine-grained control over exactly which users can access which endpoints.