DEV Community

Cover image for Day 17 – Securing Files with Role-Based Permissions
Nader Fkih Hassen
Nader Fkih Hassen

Posted on

Day 17 – Securing Files with Role-Based Permissions

📂 "Oops, I deleted the wrong file..."

That’s a nightmare in any app — but in legal software? It’s a lawsuit waiting to happen.

So on Day 17 of my internship learning journey, I focused on a vital but often overlooked problem: making sure only authorized users can delete documents.

🧱 Background
I previously built a file upload feature tied to legal cases. But until now, anyone could delete documents.

In reality, a junior lawyer shouldn’t be able to remove court evidence by mistake. So, I implemented Role-Based Access Control (RBAC) specifically for file deletion.

🔐 RBAC Rules for Document Handling
Role Upload View Delete
Lawyer ✅ ✅ ❌
Admin ✅ ✅ ✅
Super Admin ✅ ✅ ✅

These rules were enforced in both backend and frontend.

⚙️ Backend Implementation (NestJS + Prisma)
I updated the document deletion route in NestJS:

@UseGuards(AuthGuard, RolesGuard)
@Roles('ADMIN', 'SUPER_ADMIN')
@Delete('/documents/:id')
async deleteDoc(@Param('id') id: string) {
  return this.documentService.remove(id);
}
Enter fullscreen mode Exit fullscreen mode

This ensures only authorized users can trigger deletion, even if they try via tools like Postman.

💻 Frontend Guards (Next.js)
In the file list UI, I used useUser() to conditionally show the delete button only to eligible roles:

{user?.role === 'ADMIN' || user?.role === 'SUPER_ADMIN' ? (
  <button onClick={() => deleteFile(file.id)}>🗑️ Delete</button>
) : null}
Enter fullscreen mode Exit fullscreen mode

Even if someone inspects the page and reveals the button, the backend guard blocks them.

🧠 What I Learned

  • Security isn’t just about code — it’s about UI decisions, too.
  • People trust file systems. You only notice it when things break.
  • NestJS guards + frontend conditional rendering = powerful security combo

✅ Extra UX Touches

  • Show a confirmation modal before deletion.
  • Use toast notifications for success/error feedback.
  • Added metadata (who deleted what, and when).

❓Discussion Question
Have you ever had to roll back a user’s accidental delete?
What safeguards do you build around sensitive actions?

Let me know — and see you tomorrow for Day 18!

RBAC #LearningInPublic #SecurityByDesign #LuraApp #InternshipDevLog

Top comments (0)