Concept Flow - Role-based access patterns
User Requests Page
Check User Role
Allow Admin
Render Page
This flow shows how a Next.js app checks a user's role before allowing access to a page or redirecting them.
0Role-based access patterns in NextJS - Step-by-Step Execution
Start learning this pattern below
Jump into concepts and practice - no test required
or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Execution Sample
NextJS
import { NextResponse } from 'next/server'; export function middleware(req) { const role = req.cookies.get('role')?.value || 'guest'; if (role === 'admin') return NextResponse.next(); return NextResponse.redirect(new URL('/login', req.url)); }
Middleware checks the user's role from cookies and allows or blocks access accordingly.
Execution Table
| Step | Action | Role Value | Condition Checked | Result | Next Step |
|---|---|---|---|---|---|
| 1 | Read 'role' cookie | admin | role === 'admin' | True | Allow access |
| 2 | Allow access | admin | - | Access granted | Render page |
| 3 | User requests page | user | role === 'admin' | False | Redirect to /login |
| 4 | Redirect to /login | user | - | Access denied | Show login page |
| 5 | User requests page | guest | role === 'admin' | False | Redirect to /login |
| 6 | Redirect to /login | guest | - | Access denied | Show login page |
💡 Execution stops after allowing access or redirecting based on role check.
Variable Tracker
| Variable | Start | After Step 1 | After Step 3 | After Step 5 |
|---|---|---|---|---|
| role | undefined | admin | user | guest |
Key Moments - 2 Insights
Why does the middleware redirect users who are not 'admin'?
Because the condition 'role === "admin"' is false for other roles, so the code redirects them to '/login' as shown in execution_table rows 3 and 5.
What happens if the 'role' cookie is missing?
The code assigns 'guest' as default role (see code line with '|| "guest"'), so the user is treated as guest and redirected, as in execution_table row 5.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what is the role value at Step 3?
💡 Hint
Check the 'Role Value' column in execution_table row for Step 3.
At which step does the middleware allow access to the page?
💡 Hint
Look for 'Access granted' in the 'Result' column of execution_table.
If the role cookie was 'admin', what would happen at Step 5?
💡 Hint
Refer to how 'admin' role is handled in execution_table rows 1 and 2.
Concept Snapshot
Role-based access in Next.js uses middleware to check user roles. It reads the role from cookies or defaults to 'guest'. If role matches allowed roles (e.g., 'admin'), access is granted. Otherwise, user is redirected to login or error page. This pattern protects pages based on user permissions.
Full Transcript
This visual execution trace shows how role-based access works in Next.js using middleware. When a user requests a page, the middleware reads the 'role' cookie. If the role is 'admin', the middleware allows access and the page renders. If the role is anything else or missing, the middleware redirects the user to the login page. Variables like 'role' change based on cookie values. Key moments include understanding why non-admin users are redirected and what happens if the role cookie is missing. The quiz questions help reinforce these points by referencing specific steps in the execution table.
Practice
1. What is the main purpose of role-based access control in a Next.js application?
easy
Solution
Step 1: Understand role-based access control concept
Role-based access control means controlling what users can do or see based on their roles.Step 2: Identify the purpose in Next.js apps
In Next.js, this means showing or hiding parts of the app depending on user roles to protect sensitive data.Final Answer:
To restrict or allow users to see or perform actions based on their assigned roles -> Option BQuick Check:
Role-based access controls user permissions = B [OK]
Hint: Role-based access controls user permissions and visibility [OK]
Common Mistakes:
- Confusing access control with styling or caching
- Thinking it automatically creates user profiles
- Assuming it improves app speed
2. Which of the following is the correct way to check a user's role in a Next.js component using session data?
easy
Solution
Step 1: Identify session structure in Next.js
Session data usually stores user info under session.user, including role as session.user.role.Step 2: Check correct syntax for role comparison
The correct check is session.user.role === 'admin' to compare role string exactly.Final Answer:
if (session.user.role === 'admin') { /* allow access */ } -> Option AQuick Check:
Use session.user.role for role check = C [OK]
Hint: Access role via session.user.role for correct check [OK]
Common Mistakes:
- Using user.role without session prefix
- Checking session.role directly (wrong path)
- Using == instead of === for strict comparison
- Assuming roles is an array when it's a string
3. Given this Next.js code snippet, what will be rendered if the user role is 'editor'?
function Dashboard({ session }) {
if (session.user.role === 'admin') {
return <div>Admin Panel</div>;
} else if (session.user.role === 'editor') {
return <div>Editor Workspace</div>;
} else {
return <div>Access Denied</div>;
}
}medium
Solution
Step 1: Check user role conditionals
The code checks if role is 'admin', then 'editor', else denies access.Step 2: Match role 'editor' to conditional
Since role is 'editor', the second condition matches and returns <div>Editor Workspace</div>.Final Answer:
<div>Editor Workspace</div> -> Option DQuick Check:
Role 'editor' matches editor condition = A [OK]
Hint: Match user role to if-else branches to find output [OK]
Common Mistakes:
- Choosing admin panel for editor role
- Assuming access denied for editor
- Thinking code has syntax errors
4. Identify the error in this Next.js role check code snippet:
function Page({ session }) {
if (session.user.role = 'admin') {
return <div>Admin Access</div>;
}
return <div>No Access</div>;
}medium
Solution
Step 1: Check the if condition syntax
The code uses single equals (=) which assigns value instead of comparing.Step 2: Identify correct comparison operator
For comparison, triple equals (===) should be used to check equality without assignment.Final Answer:
Using single equals (=) instead of triple equals (===) for comparison -> Option CQuick Check:
Use === for comparison, not = [OK]
Hint: Use === for comparison, not = assignment [OK]
Common Mistakes:
- Confusing assignment (=) with comparison (===)
- Thinking else block is mandatory
- Incorrect session property path assumptions
- Believing return inside if is invalid
5. You want to protect a Next.js API route so only users with role 'admin' or 'manager' can access it. Which code snippet correctly implements this role-based access check?
hard
Solution
Step 1: Understand role check for multiple roles
We want to allow access if role is either 'admin' or 'manager'.Step 2: Evaluate each option's logic
if (session.user.role === 'admin' && session.user.role === 'manager') { /* allow */ } else { /* deny */ } uses && which requires the role to be both simultaneously (impossible); if (session.user.role === ['admin', 'manager']) { /* allow */ } else { /* deny */ } compares role to array directly (wrong); if (['admin', 'manager'].includes(session.user.role)) { /* allow */ } else { /* deny */ } uses includes() on array which is clean and correct; if (session.user.role == 'admin' && session.user.role == 'manager') { /* allow */ } else { /* deny */ } uses && which requires role to be both roles simultaneously (impossible).Final Answer:
if (['admin', 'manager'].includes(session.user.role)) { /* allow */ } else { /* deny */ } -> Option AQuick Check:
Use includes() to check multiple roles = D [OK]
Hint: Use array.includes(role) to check multiple roles easily [OK]
Common Mistakes:
- Comparing role directly to an array
- Using && instead of || for multiple roles
- Not using includes() for clean checks
- Assuming || is always better than includes()