0
0
Expressframework~10 mins

Permission middleware in Express - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Concept Flow - Permission middleware
Request received
Permission middleware runs
Check user permissions
Call next
Route handler
When a request comes in, the permission middleware checks if the user has rights. If yes, it passes control to the next handler; if no, it stops and sends a forbidden error.
Execution Sample
Express
function permissionMiddleware(req, res, next) {
  if (req.user?.role === 'admin') {
    next();
  } else {
    res.status(403).send('Forbidden');
  }
}
This middleware checks if the user role is 'admin'. If yes, it allows the request to continue; otherwise, it blocks with a 403 error.
Execution Table
StepActionCheckResultNext Step
1Middleware calledreq.user?.role === 'admin'trueCall next() to continue
2Route handler executesN/ARequest handledResponse sent
3Middleware calledreq.user?.role === 'admin'falseSend 403 Forbidden response
4Response endsN/ARequest blockedNo further handlers called
💡 Execution stops either by calling next() if permission granted or sending 403 if denied.
Variable Tracker
VariableStartAfter Step 1After Step 3Final
req.user.roleundefined or 'admin' or other'admin''user''admin' or 'user'
next calledfalsetruefalsetrue or false
response status200 by default200403200 or 403
Key Moments - 2 Insights
Why does the middleware call next() only when the user role is 'admin'?
Because the middleware checks if req.user.role equals 'admin' (see execution_table step 1). If true, next() is called to continue processing; otherwise, it sends a 403 response and stops.
What happens if req.user is undefined?
The optional chaining (req.user?.role) safely returns undefined, so the condition fails and the middleware sends a 403 Forbidden response (see execution_table step 3).
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what happens at step 3 when the user role is not 'admin'?
AThe middleware sends a 403 Forbidden response
BThe middleware calls next() to continue
CThe route handler executes normally
DThe request is redirected
💡 Hint
Check the 'Result' and 'Next Step' columns in execution_table row 3
According to variable_tracker, what is the value of 'next called' after step 1 if the user role is 'admin'?
Afalse
Bundefined
Ctrue
Dnull
💡 Hint
Look at 'next called' value after Step 1 in variable_tracker
If req.user is undefined, how does the middleware behave according to the execution flow?
ACalls next() and continues
BSends 403 Forbidden response
CThrows an error
DSkips middleware
💡 Hint
Refer to key_moments explanation about optional chaining and execution_table step 3
Concept Snapshot
Permission middleware in Express:
- Function checks user permissions from req.user
- If permission granted, call next() to continue
- If denied, send 403 Forbidden response
- Use optional chaining to avoid errors if user missing
- Stops request flow on denial, allowing secure routes
Full Transcript
Permission middleware in Express runs when a request arrives. It checks if the user has the right role, for example 'admin'. If yes, it calls next() to let the request continue to the route handler. If no, it sends a 403 Forbidden response and stops further processing. Optional chaining helps avoid errors if the user object is missing. This middleware protects routes by blocking unauthorized users.