DEV Community

Cover image for 📝 Blog Post – Day 14: Implementing Role-Based Access Control (RBAC)
Nader Fkih Hassen
Nader Fkih Hassen

Posted on

📝 Blog Post – Day 14: Implementing Role-Based Access Control (RBAC)

#30daysoflearning #webdev #devjournal #rbac

Today’s focus in the Lura project was on Role-Based Access Control (RBAC) — a concept that ensures users only have access to what they’re supposed to see or do.

🔐 Why RBAC Matters
In a legal platform like Lura, different users (lawyers, admins, super admins) need clearly defined responsibilities and permissions. You can’t allow a regular lawyer to delete documents, or a new user to modify system settings. RBAC solves that by assigning roles and mapping them to actions.

🧩 Goals of Today’s Feature:

  • Clearly define 3 user roles: Lawyer, Admin, Super Admin
  • Secure sensitive API routes (delete, update, create)
  • Control visibility of buttons and pages in UI
  • Prevent role spoofing by enforcing checks server-side
  • Ensure new users are onboarded with appropriate roles

⚙️ How I Built It
📦 Backend (NestJS + Prisma)

  • I used NestJS Guards and a custom @Roles() decorator to protect controller routes.
  • User roles were stored in the database using Prisma’s user model.
  • I created middleware that intercepts requests and checks JWT tokens for valid roles. 
@UseGuards(AuthGuard, RolesGuard)
@Roles('admin')
@Delete('/document/:id')
removeFile() { ... }
Enter fullscreen mode Exit fullscreen mode

💻 Frontend (Next.js + Context)

  • I pulled the logged-in user’s role from the session context.
  • Using conditional rendering, I hid buttons and restricted actions for lower roles.

Example:

{user.role === 'admin' && <DeleteButton />}
Enter fullscreen mode Exit fullscreen mode

🔒 Extra Layer of Security
You can’t trust frontend checks alone. That’s why every sensitive route also has backend protection — ensuring only valid roles can trigger dangerous actions like deletions or workspace edits.

I also created a helper function to easily assign roles during registration based on invitation logic (admin invites lawyer, super admin creates admins, etc.).

✅ Key Lessons & Takeaways:

  • RBAC creates safer and more maintainable software.
  • It prevents accidental misuse and enforces real-world policies.
  • NestJS makes backend security very modular with guards and decorators.
  • UI must align with backend logic — security isn’t only about APIs.
  • Planning your access model early makes future scaling easier.

❓ Question:
How do you handle permissions in your web apps?
Would you go with RBAC, ACL (Access Control Lists), or something more dynamic like policy-based access?

Top comments (0)