📂 "Oops, I deleted the wrong file..."
That’s a nightmare in any app — but in legal software? It’s a lawsuit waiting to happen.
So on Day 17 of my internship learning journey, I focused on a vital but often overlooked problem: making sure only authorized users can delete documents.
🧱 Background
I previously built a file upload feature tied to legal cases. But until now, anyone could delete documents.
In reality, a junior lawyer shouldn’t be able to remove court evidence by mistake. So, I implemented Role-Based Access Control (RBAC) specifically for file deletion.
🔐 RBAC Rules for Document Handling
Role Upload View Delete
Lawyer ✅ ✅ ❌
Admin ✅ ✅ ✅
Super Admin ✅ ✅ ✅
These rules were enforced in both backend and frontend.
⚙️ Backend Implementation (NestJS + Prisma)
I updated the document deletion route in NestJS:
@UseGuards(AuthGuard, RolesGuard)
@Roles('ADMIN', 'SUPER_ADMIN')
@Delete('/documents/:id')
async deleteDoc(@Param('id') id: string) {
return this.documentService.remove(id);
}
This ensures only authorized users can trigger deletion, even if they try via tools like Postman.
💻 Frontend Guards (Next.js)
In the file list UI, I used useUser() to conditionally show the delete button only to eligible roles:
{user?.role === 'ADMIN' || user?.role === 'SUPER_ADMIN' ? (
<button onClick={() => deleteFile(file.id)}>🗑️ Delete</button>
) : null}
Even if someone inspects the page and reveals the button, the backend guard blocks them.
🧠 What I Learned
- Security isn’t just about code — it’s about UI decisions, too.
- People trust file systems. You only notice it when things break.
- NestJS guards + frontend conditional rendering = powerful security combo
✅ Extra UX Touches
- Show a confirmation modal before deletion.
- Use toast notifications for success/error feedback.
- Added metadata (who deleted what, and when).
❓Discussion Question
Have you ever had to roll back a user’s accidental delete?
What safeguards do you build around sensitive actions?
Let me know — and see you tomorrow for Day 18!
Top comments (0)