If a user is restricted from a "get" route, is the user also restricted from the "post" route?

the below code is a get request to a route that serves the user a particular page if authenticated, and redirects the user if not. “request.user” refers to some Passport (a node package) object that gets created upon authentication.

app.get("/newpoll", function (request, response){
  if (request.user){
    response.sendFile(__dirname + '/views/newpoll.html');
  } else {

can an unauthenticated user access the route through a post request?

app.post("/newpoll", function(request, response){
    var poll;
    request.on('data', function(data) {
      poll = JSON.parse(data);
      poll["user"] = request.user.twitterId;
      console.log("received: " + JSON.stringify(poll))
      MongoClient.connect(url, function(err, db){
        if (db){
          console.log("connected to " + url);
        if (err) {
         console.log("did not connect to " + url)

Nothing in your GET handler will have any bearing on your POST handler. Either 1 or the other is going to be called.

In your “get”, you are testing for the existence of a “user” attribute on the request object. I am going to assume that there was some middleware that only sets this if the user was authenticated, vs simply being an http get parameter. In your POST, you are assuming “user” exists and you are trying to access the twitter id on it. This will throw an exception if “user” is null or undefined, and the client will most likely get a server 500 error. This inconsistency between your 2 functions is a red flag. You should consider refactoring an “isAutheticated” function, put your logic there for determining if the request is in fact authenticated, return a boolean response from it, and then call this function within both your GET and POST handlers. This would make the gaps in your logic easier to see and fix.

I’d try to give you an example, but i am typing this on my phone