Role based authorization

[ghost]

Why we are using 2 restrictTo functions in admin controller?

router.use(authController.restrictTo('ADMIN', 'SUPER_ADMIN'));

router
  .route('/user/:id')
  .get(userController.getUser)
  .patch(userController.updateUser)
  .delete(userController.deleteUser);
router.get('/users', userController.getAllUsers);


router.put(
  '/authorize-or-restrict/:userId',
  restrictTo(Actions.UPDATE_USER),
  authorizeOrRestrict
);

@bellaabdelouahab

[bellaabdelouahab]

Let me see,
I think we added this to prevent admins from restricting each other,
And also I think there is a diff between restricting to a role and restricting to and authority, maybe we need to chamge the names to know which one which
@muttaqin1

[bellaabdelouahab]

I don't know if this is the best approach to handle roles, but I'd love to hear more about your idea.
@muttaqin1

[ghost]

I believe we dont have any other way.
I suggest you to create a custom role 'Moderator' and provide all the authorities of the admin. Then try to access that route.You cant access because that middleware only gives access to admin and superAdmin.
@bellaabdelouahab

[bellaabdelouahab]

I understand you but we still need to validate the roles other ways we will have to verify every authority,
Search one open source if you found that this is common practice, you can go ahead and implement it.
@muttaqin1

[ghost]

Yes, Thats correct we have to validate the roles or every authority.
The logic to validate every authority is already implemented.

so we can do this:
We will validate User role by the Role and all the upper level roles like Admin, superAdmin will be validated by authorities.
Now just we have to remove the authController restrictTo middleware.
By doing this we can achieve a great admin management.
@bellaabdelouahab

[bellaabdelouahab]

@muttaqin1 great 👌

[ghost]

Can you do the task? This is a small task, It wont take more than five minutes. Just remove the function call.
@bellaabdelouahab

[bellaabdelouahab]

sure 👌