Man I wonder if Kyle actually realises how much he helps us out with his vids man Respect man

Legend! Love the way you clearly explain these concepts in a simple way. Cheers bro. You are on my recommended channel list on my YT

pretty much exactly the video I needed for a project. My man web dev simplified is a legend.

You're simply the best out there because you explain your content very well and you go straight to the point, respect man you're a legend !

Before watching this video, I was creating separate documents for admin and user. Thank you for such a clear explanation tutorial.

Never happier when any youtuber uploads

Kayel your videos are greate for intermediat developers. Clear and simple explanations. Have been following you. You are recommended.

I always keep telling everyone to subscribe to your channel. you're really great really hoping people would recognize you more often.

7:11 Th res.Status Should be 401 Not 403 401 Means Unauthorized , Forbidden Mean He is Sign Up But he doesn't have the permission to access to the given operation. Thank You btw !

I believe you mixed up the status codes a bit. 401 Unauthorized - send this code when the user is not authorized to view the content (as in the user didn't login) 403 Forbidden - send this code when the user is logged in, but is not allowed to view specific content The difference between these status codes is that 401 should be sent if authorization fails, but proper authorization is possible while 403 is sent when the user is authorized, but doesn't have the required permissions.

This video is so motivating since I was taking a break from programming bc of authentication and authorization. Thank you so much!

such a clear explanation, thank you!

Currently I'm learning MEAN and this is exactly what I need for my pet project. Thank you so much for what you're doing!

Your video help me too much thanks 🙏

You've Successfully Simplified Web For Us. Mission Accomplished 😎

Yay!!!!!!!!!!!!!!!!!!! So awesome!!! Thank you !!!! I was just thinking about this because I been following your other tutorials and I love them. I am excited to watch this video.

Awesome video. Concept of modularity with pure functions make this truly scalable.

Thank you very much. This video... no, all your videos I watched are amazing and helpfull!

Thanks so much for this. One of the better Node tutorials I've seen.

Every time I get stuck in something and try to solve a problem by myself. I'm always ended up on your video finding a solution

Your tutorials are top notch Kyle!

Love the progression in this video. Super clear

OMG! thank you. I believe in Web Dev Simplified supremacy!!!!!

My name is Kyle and my job is to simplify the web for you! Your tutorials are always gre8!

Literally god tier content

Just found your channel, loving it so far.

This is the best video about role based authentication...Thanks

Kyle ... great tutorial ... very glad I found your channel! Thank you.

Kyle ... One Word: Genius

As usual, great video - clear, concise and immediately usable. Thanks!

Awesome, helped me with some of my lingering middleware integration ignorance. Well explained!

Exactly the video I needed. Thanks man.

you explain things so simply....easy to follow.....

Enjoyed the turotial throughly!

Awesome. You are the best. I wonder who could be so unfair to dislike it?

20:31 does it make sense in practice ? I'm pretty sure an admin should have right to delete any project

Your video helps me a lot. I really appreciate your effort. Thank you so much!

I would recommend to assign every role an int so you can calculate up and downwards ! Edit: To calculate the inheritance of the groups if given!

I've got a permission system where the permissions are strings like "mail.create" or "mail.*". Each user has an array of permissions, and the permission strings are referenced in a POJO that maps object keys to permission names. So if you have an endpoint that should be accessible to anyone with a mail permission, you call `hasAnyPermission(req.user, Permissions.mail)` where Permissions.mail is an object containing more fine-grained permissions, and that endpoint would be accessible to anybody with a "mail.(whatever)" permission. "*" is a wildcard that refers to all sub-permissions, so if someone has the permission "*" then they're a superuser, and if they have the permission "boards.*" then they can do anything on any image board. There are some functions, like `hasAnyPermission` or `hasPermission` that you stick at the beginning of your route handler to enforce the permissions. Of course you don't have to put them at the beginning of your route handler - the entire frontend of the app is handlebars so I also use them on specific pages where I want to display some items/links but each link requires a separate permission. I'm actually pretty surprised that I've made it this far using only handlebars and plain JS for the frontend. The backend is NodeJS with Typescript which is great but I've managed to write a multiplayer FPS almost entirely in plain JS (server-side is that typescript nodejs I just mentioned) and build a forum engine and now I've set up a mail server and a way for users to create and manage email addresses on my domain. handlebars may not be flashy but damn if I like it

please make a complete node course for beginners to intermediate level and an advanced node course too. We are ready to buy it. Please vote if u guys need it too.

best teacher ever

Thank you for such an amazing tutorial!

It would be awesome if you could create like a mini blog[or anything] with react & express that uses user-based roles. I'm trying to add user based rules to my react app :p

Thank you very much! This is exactly what I needed for my project!

Nice. Introductory tutorial on how to manage user roles.

Thank you so much Kyle. I found this very helpful.

Very good explained , Love from India.

Just want to say thankyou man. Words are short here.

This video came in the perfect time. Thank you!

wow! such a great tutorial. thanks for the guide!

very clear, it’s helpful in my project. Thanks a lot

YOU ARE AWESOME thankyou for putting great content, with fast but effective and SIMPLE :)

Really amazing explanation!

Great content. Would love to see an elaborated version of this with more of a real world scenarios where an user can have multiple role for different context.

This is what i want , u are awesome sir 🤘🤘🤘

YOu are amazing... Really simplified complex things

too good. I did a version in typescript but followed your flows. Thanks

mmh, i think there is some confusion between permissions and actually filtering the correct data. One thing is permission based on levels (the higher level, the higher the privilege to see things), and one things is to filter the correct projects for the user. wouldn't that be a filter applied at DAO level which returns the right data rather than crammining into the permissions? Permission after all should be agnostic to the kind of data you are handling, and should worry only about roles . correct me if I am wrong?

Thanks for the great tutorial. In the end, I'm just wondering (if we work with real data obtained from the database), what is the best way to filter the data (in this case the scopedProjects function). If we have a lot of data, in this case we need to fetch all of them and then filter them. Isn't it better (in terms of performance) to check the role first and then pull only specific (filtered on db query level) data from the database?

If someone knows someone else's userId there could be problems. How do we make sure someone cant modify userId in the request?

could please create a video on RBAC in MySQL with limited permissions to API in nodejs

You could have a super admin that would have the ability to delete any project. If an employee is no longer working for the company, you might want to have someone either delete that employee's project or reassign them to another user to complete.

Thanks for sharing, it is nice and easy to follow which is a massive help.

Great content. Gives motivation to keep our channel going.

Hey Kayle please do video on Gulp, Grunt, webpack and parcel & when to choose which tool

that was a great video thankyou so much!

Nice one - Just for the sake of DRY : scopedProjects = (user, projects) => projects.filter(project => canViewProject(user, project))

could you please explain how to set admin role to the users who are registers first

great video though, would that be useful for a management systems as well?

Thank you so much for the tutorial video it's quite informative and professional

Please make video how can create front side

THANK YOUUUUUUUUUUU!!!!!! I finally understand this.

So accurate with the name web dev SIMPLIFIED

great video bro, please do a MERN project like this with frontend

Hi can you make a video for multiple type accounts using mern stack , for example there are two types of users regular users, product manufacturers, from which we will take different information from both of them. But we need to allow them to login from same page. Is it possible ?

You dont view anything in the browser? I'm using the ejs view engine and am having problems getting the ._id from mongodb to verify that the user is the owner of a post. I cannot find a work around. Maybe this would do it 🤔

it's 2021, so there is still NO out-of-box user /role management extension for Nodejs?

Perfect. Very nicely done

Kyle to webcam: Focus on my hair not the content

How to add the functionality in which admin can change the roles .

Thanks a lot ! great video ! Please how can i protect my front-end routes using those APIs ? For example, when users login, the Admin would have route to the admin page but normal users not ? is it secure to check roles in the front-end ?

I recently deployed an express middle ware which exactly does this. Check route-access-control npm package

Great layout of material.

Hey! Thanks for the video, although I don't think the PROMO code works anymore 😩

surely on signup you wouldnt have a choice of role, so how would you assign the ADMIN role other than everyone is BASIC. would this be done in the backend?

exactly what i was looking for

This lesson is great, just I would like add more basic users, the problem is that this example define the basic users from start What if i have a login that any users want to access? How define that all users logged with no id admin are basic? I´m stuck in that! :(

The best educational videos

I added this video to my Gold Collection

Thank you. This was a great learing experience.

Good tutorial, why sometimes did you use es6 and sometimes not ?

Awesome video

How would you share the permissions logic between the node backend and a ... lets say, react frontend?

I am bit concerned with the performance of approach explained here, users are in some DB, say mongo or SQL, so are the roles and permissions, with this approach , on each call, I have to go to DB and verify that sent userId is valid(login basic Auth) and then proceed next middleware, and that middleware will again call the DB and look for role permissions on particular object (currently handelled with static data.js), thus with each request multiple calls to DB are being made. now consider an application with good amount of users intracing, Can you please shed some light on performance perspective?

I love you and PedroTech, both kinda feel alike to me

Found what I am looking for thanks.

After all, this method does not meet the requirements of security. The role is taken from the body. If I release basic instead of admin in the header, you will send the relevant information to the admin from the server. is that right?

You are so great.can you tell me what is your main job besides youtube?

What if we create capabilities for each action, and then assign that capability to the roles so that one capability can be assign to the multiple roles.

I researched about this Adding body to get request is bad practise Isn't it?? Also if caching is used it would cause weird bugs..because caching mechanism usually ignore the get body Is this right?? What is the correct way to go about it??