Node.js

Where should I check permissions?

Hello.
Where should I check permissions?
For example, there is a class Book, there is a remove method, is it normal to check the rights to delete in the class method or is it not right?
Should this be done in the controller?
For example, I need to get the title of the book, but only the person who created the book has access to this information (Information about the creators is in the user_id field)
If you check access rights in the controller, then you must first make 1 query in the database to get the user_id field, after that, if the request was sent by the owner of the book, then we turn to the class method
and there is another request to the database to pull out the necessary fields (In the example, this is the title of the book).
In such cases, instead of 1 query to the database, we get 2.
When you can get by with one and pull out all the necessary data at once: user_id and title
Now it's done like this:
We turn to the /book/ajax/ route, check the submitted data for validity and then turn to the class, where it is checked for the right to delete the book and the deletion of the book itself
How would it be correct to implement this?