How to limit access to authorized users (the resource creator) or admins?

Unanswered

Bumble bee posted this in #help-forum

Bumble beeOP

2023-11-13T10:26:05.000Z

How would you do it (generally)?

My code looks like this:

export async function POST(request: NextRequest, route: NextRoute) {
    const { slug, name, description } = await request.json()

    const city = await database.city.create({
        data: { slug, name, description }
    })

    const data = { city }

    return NextResponse.json({ data })
}

7 Replies

Z4NR34L

2023-11-13T10:27:44.000Z

I'm using next-auth, where you only need to fetch session from request and check it ðŸ˜‰

Bumble beeOP

2023-11-13T10:27:47.000Z

I also did it like this:

async function allowAction(creator?: User) {
    const currentUser = await getCurrentUser()

    if (creator) {
        return (
            currentUser.role === 'ADMIN' ||
            (currentUser.role === 'PRO_USER' && creator.id === currentUser.id)
        )
    } else {
        return currentUser.role === 'ADMIN' || currentUser.role === 'PRO_USER'
    }
}

i am working with JWT

Z4NR34L

2023-11-13T10:35:54.000Z

what auth package are you using? you can add anything to JWT payload in next-auth without any issue, so when you decrypt session on server-side you will have anything you passed with it

Bumble beeOP

2023-11-13T11:21:35.000Z

mmmh ok

Z4NR34L

2023-11-14T08:13:45.000Z

Please consider marking this thread as answered if thats solved ðŸ˜„

Bumble beeOP

2023-11-15T14:28:37.000Z

how can I do that ?!!!