Bird
Raised Fist0
Expressframework~5 mins

Permission middleware in Express - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is permission middleware in Express?
Permission middleware is a function that checks if a user has the right to access a specific route or resource before allowing the request to continue.
Click to reveal answer
beginner
How do you use permission middleware in an Express route?
You add the middleware function as an argument before the route handler. For example: app.get('/admin', permissionMiddleware, (req, res) => {...}).
Click to reveal answer
beginner
What should permission middleware do if the user lacks permission?
It should stop the request by sending a response like 403 Forbidden and not call next(), so the route handler does not run.
Click to reveal answer
intermediate
Why is permission middleware useful in web apps?
It helps protect sensitive routes by checking user roles or permissions centrally, making the app safer and easier to maintain.
Click to reveal answer
beginner
What parameters does an Express middleware function receive?
It receives three parameters: request (req), response (res), and next function to pass control to the next middleware or route handler.
Click to reveal answer
What does permission middleware typically check before allowing access?
AUser's permissions or roles
BThe size of the request body
CThe server's CPU usage
DThe client's browser type
What should permission middleware do if the user is not allowed access?
ACall next() to continue
BSend a 403 Forbidden response
CRedirect to the homepage
DIgnore and do nothing
Where do you place permission middleware in an Express route?
AOutside the Express app
BAfter the route handler
CInside the route handler
DBefore the route handler
Which of these is NOT a parameter of Express middleware?
Areq (request)
Bnext (function)
Ccallback (function)
Dres (response)
Why use permission middleware instead of checking permissions inside route handlers?
ATo centralize permission checks and keep code clean
BTo slow down the app
CTo avoid using Express
DTo make routes harder to read
Explain how permission middleware works in Express and why it is important.
Think about how middleware controls access to routes.
You got /4 concepts.
    Describe how to implement a simple permission middleware that allows only admin users to access a route.
    Focus on role checking and response handling.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of permission middleware in an Express app?
      easy
      A. To check if a user has rights to access a route before running its handler
      B. To format the response data before sending it to the client
      C. To log every request made to the server
      D. To handle errors thrown by route handlers

      Solution

      1. Step 1: Understand middleware role

        Middleware runs before route handlers to control flow or check conditions.

      2. Step 2: Identify permission middleware function

        Permission middleware specifically checks user rights to allow or deny access.

      3. Final Answer:

        To check if a user has rights to access a route before running its handler -> Option A

      4. Quick Check:

        Permission middleware controls access = A [OK]
      Hint: Permission middleware controls access before route runs [OK]
      Common Mistakes:
      • Confusing permission middleware with logging middleware
      • Thinking it formats response data
      • Assuming it handles errors
      2. Which of the following is the correct way to define a permission middleware function in Express?
      easy
      A. function checkPermission(req, res, next) { if (!req.user) next('No user'); else next(); }
      B. function checkPermission(req, res) { if (!req.user) res.send('No user'); else next(); }
      C. function checkPermission(req, res, next) { if (!req.user) res.send('No user'); else next(); }
      D. function checkPermission(req, res, next) { if (!req.user) return; else next(); }

      Solution

      1. Step 1: Check middleware signature

        Express middleware must have three parameters: req, res, next.

      2. Step 2: Verify correct usage of next()

        If permission fails, respond or send error; else call next() to continue.

      3. Final Answer:

        function checkPermission(req, res, next) { if (!req.user) res.send('No user'); else next(); } -> Option C

      4. Quick Check:

        Middleware needs (req, res, next) and calls next() [OK]
      Hint: Middleware needs three params: req, res, next [OK]
      Common Mistakes:
      • Missing next parameter
      • Calling next() without parentheses
      • Not sending response or calling next() properly
      3. Given this middleware and route, what will be the response if req.user.role is 'guest'? 
      function permitAdmin(req, res, next) {
  if (req.user?.role !== 'admin') {
    return res.status(403).send('Forbidden');
  }
  next();
}

app.get('/admin', permitAdmin, (req, res) => {
  res.send('Welcome Admin');
});
      medium
      A. Forbidden
      B. Welcome Admin
      C. Internal Server Error
      D. No response (timeout)

      Solution

      1. Step 1: Check user role in middleware

        The middleware checks if req.user.role is not 'admin'. Here it is 'guest', so condition is true.

      2. Step 2: Middleware response on failed permission

        It sends status 403 with 'Forbidden' and does not call next(), so route handler is skipped.

      3. Final Answer:

        Forbidden -> Option A

      4. Quick Check:

        Role not admin = 403 Forbidden [OK]
      Hint: If role not admin, middleware sends 403 and stops [OK]
      Common Mistakes:
      • Assuming route handler runs anyway
      • Confusing status codes
      • Missing optional chaining on req.user
      4. Identify the error in this permission middleware code: 
      function checkPermission(req, res, next) {
  if (!req.user.permissions.includes('edit')) {
    res.status(401).send('Unauthorized');
  }
  next();
}
      medium
      A. Middleware should not call next() at all
      B. Wrong status code for unauthorized access
      C. Incorrect property name 'permissions' on req.user
      D. Missing return after sending response, so next() runs anyway

      Solution

      1. Step 1: Analyze flow after sending response

        After res.status(401).send(), the code continues and calls next(), allowing next middleware or route to run.

      2. Step 2: Fix by adding return to stop execution

        Adding 'return' before res.status(401).send() prevents next() from running when unauthorized.

      3. Final Answer:

        Missing return after sending response, so next() runs anyway -> Option D

      4. Quick Check:

        Send response must return to stop next() [OK]
      Hint: Return after res.send() to prevent next() running [OK]
      Common Mistakes:
      • Not returning after sending response
      • Using wrong HTTP status code
      • Assuming next() should never be called
      5. You want to create a permission middleware that allows access only if the user has at least one role from an array of allowed roles. Which code correctly implements this?
      hard
      A. function permitRoles(allowedRoles) { return (req, res, next) => { if (!allowedRoles.includes(req.user.role)) { res.status(403).send('Forbidden'); } next(); }; }
      B. function permitRoles(allowedRoles) { return (req, res, next) => { if (allowedRoles.some(role => role === req.user.role)) { next(); } else { res.status(403).send('Forbidden'); } }; }
      C. function permitRoles(allowedRoles) { return (req, res, next) => { if (allowedRoles.indexOf(req.user.role) === -1) { res.status(403).send('Forbidden'); } next(); }; }
      D. function permitRoles(allowedRoles) { return (req, res, next) => { if (allowedRoles.every(role => role !== req.user.role)) { next(); } else { res.status(403).send('Forbidden'); } }; }

      Solution

      1. Step 1: Understand the requirement

        Access allowed if user role matches any role in allowedRoles array.

      2. Step 2: Check each option logic

        function permitRoles(allowedRoles) { return (req, res, next) => { if (!allowedRoles.includes(req.user.role)) { res.status(403).send('Forbidden'); } next(); }; } uses includes but misses return before res.send(), so next() runs anyway. function permitRoles(allowedRoles) { return (req, res, next) => { if (allowedRoles.indexOf(req.user.role) === -1) { res.status(403).send('Forbidden'); } next(); }; } misses return before res.send(), so next() runs anyway. function permitRoles(allowedRoles) { return (req, res, next) => { if (allowedRoles.some(role => role === req.user.role)) { next(); } else { res.status(403).send('Forbidden'); } }; } uses some() to check if any role matches, then calls next() or sends 403 correctly. function permitRoles(allowedRoles) { return (req, res, next) => { if (allowedRoles.every(role => role !== req.user.role)) { next(); } else { res.status(403).send('Forbidden'); } }; } reverses logic, allowing access if no match, which is wrong.

      3. Step 3: Choose best correct code

        function permitRoles(allowedRoles) { return (req, res, next) => { if (allowedRoles.some(role => role === req.user.role)) { next(); } else { res.status(403).send('Forbidden'); } }; } correctly implements the logic with proper flow control.

      4. Final Answer:

        Uses some() to allow access if any role matches, else sends 403 -> Option B

      5. Quick Check:

        Use some() to check roles and control flow correctly [OK]
      Hint: Use some() to check if user role is in allowed roles [OK]
      Common Mistakes:
      • Not returning after sending response
      • Using every() incorrectly
      • Calling next() even after forbidden response