-3

I need to implement role-based access control on the backend with postgresql, Prisma, and Express.js+TypeScript and the roles I have in mind so far are admin, manager, customer, delivery crew. I want to build to scale and execute scripts (added to package.json) via CLI to seed initial roles and permissions from constants/objects (e.g. enum Roles, enum Permissions and role_permissions = { [role]: [permissions]}) and not keep any audit logs. Access to the admin pages requires admin role and there will be 3-5 admins and the concept of organizations is not applicable here. Below is the initial structure of my models:

model User {  
  id                String    @id @default(uuid())  
  email             String    @unique  
  password          String  
  firstName         String?  
  lastName          String?  
  isActive          Boolean   @default(true)  
  emailVerified     Boolean   @default(false)  
  createdAt         DateTime  @default(now())  
  updatedAt         DateTime  @updatedAt  
  roles             UserRole[]  
}  
  
model Role {  
  id                String    @id @default(uuid())  
  name              String    @unique  
  createdAt         DateTime  @default(now())  
  updatedAt         DateTime  @updatedAt  
  users             UserRole[]  
  permissions       RolePermission[]  
}  
  
model Permission {  
  id                String    @id @default(uuid())  
  name              String    @unique // e.g. "product:read", "order:read"
  resource          String    // e.g. "product", "order", "user"  
  action            String    // e.g. "create", "read", "update", "delete"  
  createdAt         DateTime  @default(now())  
  updatedAt         DateTime  @updatedAt  
  roles             RolePermission[]  
  @@unique([resource, action])  
}  
  
model UserRole {  
  id                String    @id @default(uuid())  
  userId            String  
  roleId            String  
  user              User      @relation(fields: [userId], references: [id], onDelete: CASCADE)  
  role              Role      @relation(fields: [roleId], references: [id], onDelete: CASCADE)  
    
  @@unique([userId, roleId])  
}  
  
model RolePermission {  
  id                String    @id @default(uuid())  
  roleId            String  
  permissionId      String  
  role              Role      @relation(fields: [roleId], references: [id], onDelete: CASCADE)  
  permission        Permission @relation(fields: [permissionId], references: [id], onDelete: CASCADE)  
  @@unique([roleId, permissionId])  
}

With django, I am used to having a is_superuser/is_rootuser field in my User model for Django admin and make any further changes to roles and permissions as needed. For Express.js, how can I manage any further changes (create, update, delete) of roles and permissions and the users assigned to them in my app if requirements change in the future? I would like to avoid exposing API endpoints for mutation of roles and permissions if possible.

Improve this question
1
  • Note that I don't have the feature for advice questions enabled. Only some users can use it. Commented Nov 8 at 19:14
Related questions
0
can not get userID in sequelize?
1
Expressjs mongoose user roles and role permissions using pivot
646
Unknown file extension ".ts" for a TypeScript file
Load 6 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.