0
0
Expressframework~20 mins

Role-based access control in Express - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Challenge - 5 Problems
🎖️
Express RBAC Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What is the output when a user with role 'guest' accesses the protected route?

Consider this Express middleware that checks user roles before allowing access to a route.

function checkRole(role) {
  return function(req, res, next) {
    if (req.user?.role === role) {
      next();
    } else {
      res.status(403).send('Access denied');
    }
  };
}

app.get('/admin', checkRole('admin'), (req, res) => {
  res.send('Welcome Admin');
});

// Assume req.user = { role: 'guest' }

What will the server respond with when a user with role 'guest' requests '/admin'?

AThe server responds with status 404 Not Found
BThe server responds with status 403 and 'Access denied'
CThe server crashes with a TypeError
DThe server responds with 'Welcome Admin'
Attempts:
2 left
💡 Hint

Think about what happens when the user's role does not match the required role.

📝 Syntax
intermediate
2:00remaining
Which option correctly implements role-based middleware allowing multiple roles?

You want to create middleware that allows access if the user's role is in a list of allowed roles.

function allowRoles(roles) {
  return function(req, res, next) {
    // Fill in the condition to check if req.user.role is in roles
    if (/* condition here */) {
      next();
    } else {
      res.status(403).send('Forbidden');
    }
  };
}

Which option correctly fills the condition?

Areq.user.role in roles
Broles.indexOf(req.user.role) === -1
Creq.user.role === roles
Droles.includes(req.user.role)
Attempts:
2 left
💡 Hint

Use the correct JavaScript method to check if an array contains a value.

🔧 Debug
advanced
2:00remaining
Why does this role-check middleware always grant access?

Review this Express middleware:

function checkRole(role) {
  return function(req, res, next) {
    if (req.user.role = role) {
      next();
    } else {
      res.status(403).send('Access denied');
    }
  };
}

Why does it always grant access even when the user has the wrong role?

ABecause req.user.role is undefined
BBecause next() is never called
CBecause '=' is used instead of '===' causing assignment instead of comparison
DBecause res.status is missing a status code
Attempts:
2 left
💡 Hint

Check the difference between '=' and '===' in JavaScript.

state_output
advanced
2:00remaining
What is the value of req.user after this middleware runs?

Given this middleware that adds roles to the user object:

function addRoles(req, res, next) {
  req.user = { name: 'Alice' };
  req.user.roles = ['user', 'editor'];
  next();
}

app.use(addRoles);

app.get('/edit', (req, res) => {
  res.send(req.user.roles.includes('editor') ? 'Edit allowed' : 'Edit denied');
});

What is the value of req.user inside the '/edit' route handler?

A{ name: 'Alice', roles: ['user', 'editor'] }
B{ name: 'Alice' }
Cundefined
D{ roles: ['user', 'editor'] }
Attempts:
2 left
💡 Hint

Think about how properties are added to objects in JavaScript.

🧠 Conceptual
expert
2:00remaining
Which statement best describes role-based access control in Express?

Choose the most accurate description of how role-based access control (RBAC) is implemented in Express applications.

ARBAC is implemented by attaching user roles to the request object and using middleware to allow or deny access based on those roles.
BRBAC requires modifying the Express core to add role checks before every route handler.
CRBAC is automatically handled by Express without any middleware or code changes.
DRBAC is implemented by storing roles in cookies and checking them in the client-side JavaScript.
Attempts:
2 left
💡 Hint

Think about how Express middleware works and where user data is stored during a request.