Concept Flow - Role-based access control
User sends request
Middleware checks user role
Allow access
Next handler
The request passes through middleware that checks the user's role. If the role matches, access is allowed; otherwise, access is denied.
0
0
Role-based access control in Express - Step-by-Step Execution
Execution Sample
Express
function checkRole(role) {
return (req, res, next) => {
if (req.user?.role === role) next();
else res.status(403).send('Forbidden');
};
}This middleware checks if the logged-in user's role matches the required role and either allows the request to continue or denies access.
Execution Table
| Step | Request user.role | Condition (req.user?.role === role) | Action | Response |
|---|---|---|---|---|
| 1 | 'admin' | admin === admin | next() called | Request proceeds |
| 2 | 'user' | user === admin | res.status(403).send('Forbidden') | 403 Forbidden sent |
| 3 | undefined | undefined === admin | res.status(403).send('Forbidden') | 403 Forbidden sent |
💡 Access denied when user role does not match or is missing; allowed only when roles match.
Variable Tracker
| Variable | Start | After Step 1 | After Step 2 | After Step 3 |
|---|---|---|---|---|
| req.user.role | undefined | admin | user | undefined |
| role (required) | admin | admin | admin | admin |
| Condition result | N/A | true | false | false |
Key Moments - 2 Insights
Why does the middleware deny access when req.user is undefined?
Because the condition req.user?.role === role evaluates to false when req.user is undefined, as shown in execution_table step 3, so access is denied.
What happens if the user's role matches the required role?
The middleware calls next(), allowing the request to continue, as shown in execution_table step 1.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what is the response when req.user.role is 'user' and required role is 'admin'?
💡 Hint
Check execution_table row 2 under 'Response' column.
At which step does the condition req.user?.role === role evaluate to true?
💡 Hint
Look at execution_table 'Condition' column for each step.
If the middleware allowed access when req.user is undefined, what would change in the execution table?
💡 Hint
Focus on Step 3 'Action' and 'Response' columns in execution_table.
Concept Snapshot
Role-based access control in Express uses middleware to check user roles. Middleware compares req.user.role with required role. If roles match, call next() to continue. If not, send 403 Forbidden response. Use optional chaining to avoid errors if req.user is missing.
Full Transcript
Role-based access control in Express works by using middleware functions that check the user's role before allowing access to certain routes. When a request comes in, the middleware looks at req.user.role and compares it to the required role. If they match, the middleware calls next() to let the request continue. If they don't match or if req.user is missing, the middleware sends a 403 Forbidden response to deny access. This prevents unauthorized users from accessing protected parts of the app. The execution table shows three cases: when the user is an admin (access allowed), when the user is a regular user (access denied), and when no user is logged in (access denied). Understanding this flow helps keep your app secure by controlling who can do what.