Can anyone show code examples of how the permissions work?
I couldn't find a single example. In discord. Perhaps you have any ideas on this. I have never done permissions
67 Replies
Are you referring to some specific parts of the framework? Doesn't sound like solid specific.
I mean how to check the user's rights, for example, to create/edit/delete
What have you tried, where are you blocked?
you basically need either serialized information (which you need to decode it) from cookie or Authorization Header of the user's request to determine their authorization and authentication
you don't know what user rights are??
Frontegg
User Role and Permission Management | Frontegg
User role and permission management is one of the biggest challenges SaaS businesses are facing today. Here's how to get things done smoothly.
you mean row level security in database or user session that contains information about their role and permission?
contains information about their role and permission
so i was talking about where the session is stored
I have an api endpoint how to check the role and permissions correctly
role can either be a string or a sequence of bit flipping (1 and 0 for permission either on or off, the bit position determine which kind of permission it is)
then what's your problem that you need help? is it how to implement the same thing in solid start?
I need an example of how role and permissions checking is implemented
maybe there is a project where you can see an example
https://vinxi.vercel.app/api/server/cookies.html
https://vinxi.vercel.app/api/server/session.html
i think these 2 should be related
Cookies | Vinxi
Vinxi Documentation
Session | Vinxi
Vinxi Documentation
I don't understand what cookies and a session have to do with it.
but how does this work?
This has nothing to do with role verification and permission
Maybe that makes more sense
Loftware Cloud
YouTube
Managing Access Roles and Permissions
Learn about the relationships between users, access roles, and role permissions. You’ll see how to create new access roles and how to set new role permissions. You’ll also learn how to assign access roles you create to your new and existing users.
00:00 Managing access roles and permissions
00:34 Users, access roles, and role permissions
00:52...
so you mean the permission model?
@Atila hope you can help
:Worry_DontKnow:
I think what @TaQuanMinhLong means is that in order to Authorize/Block a user you must have them Authenticated. That's where the session cookie comes in hand. You authenticate and store that information in a HTTP-only cookie (http only because it's safer from MITM attacks).
With that done, it's all about your db architecture and relationships to define what resource a user has or doesn't have access to. SolidStart doesn't have any affordances for that part... what we do is making storing and handling the authentication and, once you figured out what you want to do with the user you can use SolidStart to redirect or deliver the resource to them.
we do some degree of Row-Level Security to protect routes or not, thus redirecting the user or not.
In this video I rolled auth from scratch, but I didn't get into details about Row-Level Security (permissions) because from a SolidStart perspective there's nothing to be done in that sense, I was just showing the Application layer and not the Database layer
https://www.youtube.com/watch?v=IXvLskm6pxg&t=1s
How you check access to specific components or widgets based on user role
once you have the user authenticated, it's just about either delivering the resource or sending them somewhere else.
Solid-Router makes it easy that you can just
throw
a redirect at any point@Atila you must know what a role and permissions user are.
I didn't write a word about authorization here
I was asking about the role and permissions user
I mean
you didn't write the word, but you must understand that you can't have or designate roles to a user without knowing who the user is (that's called authentication), so once you bring "roles" and "permissions" up, the fact that you must have authentication is, in fact, implied.
As I wrote in my very first message in this thread:
in order to Authorize/Block a user you must have them Authenticatedand again, on my first message on this thread:
it's all about your db architecture and relationships to define what resource a user has or doesn't have access to.the quote above is about "permissions", though I don't write the word. The abstraction you have in that screenshot with
<AllowedAccess>
is not something we SolidStart has built-in. I already told you how to implement that:
what we do is making storing and handling the authentication and, once you figured out what you want to do with the user you can use SolidStart to redirect or deliver the resource to them.the logic for labelling the role and granting/removing permissions needs to be done on your end.
In this thread I asked for examples of projects, not a description of what authorization is.
I understand what authorization is, but I haven't seen any examples of how to work with role and permissions user
you didn't ask anything. we had to imply.
I couldn't find a single example. In discord. Perhaps you have any ideas on this. I have never done permissionsBut ok, I also sent you a link for a tutorial with the timestamp where I implemented authorization access to a url... 🤷
Your answers focus on authentication (determining user identity) and session management, whereas me are clearly interested in role and permission management after authentication.
await accessRoles([Role.ADMIN]);
I think it is wrong and not convenient to write such code everywhere
Does a middleware work for this case?
You mean authorization? Then you still need to know who the user is (where session and identity come in) and then get the permission scope they have
Then you can determine what they can or cannot do
If you're asking about organizing and managing permission, it's a whole different story and out of solidjs
Yes, solidstart is responsible for that. I about organizing and managing permission
:confusednick:
I'm afraid it isn't
It's your choice to shape your architecture
There are many ways to achieve the thing
But I'm using solidstart to handle this endpoint
Yes, and here are the steps
yes I can get the user's role if he is authorized
Then what data did you store in the user's role
But this code with the role check looks terrible
Solidstart or any other framework is just the tool to achieve your goal
yes
You might want to check middleware
Server Routes - Nitro
Nitro supports filesystem routing to automatically map files to h3 routes.
:Worry_DontKnow:
do they usually check the role through middleware?
Make a role checker and process for every request
If you see something keep repeating on every request, then use middleware
Not just role
authentication is also the same
Is there an example?
The docs is not enough?
:confusednick:
@Atila I think you have an example of middleware
:hehehe:
How to check role or permissions in middleware
How to make it convenient
:_Cheems_Jztroi:
so the code doesn't look like a piece of crap.
There's only one way, follow what the framework tells you to do, cuz it's the framework
:Worry_CoffeeHMM:
It's already convenient
I haven't seen any examples with role or permissions checking )
so I don't know what the framework follows.
Have you done the middleware part?
there's too little information and I'm trying to learn something.
Use middleware to get user's role
yes
Then when you have the role, what would you do next
how to find out where the user is referring to and what method he is using
If your middleware is at route level, then it should have the information about what method and API route did the user call to
Like if user make PUT /api/user/<user_id> then you know what handler would be called to handle this request
It's also your implementation of how middleware is placed before one or more route handlers
I get that.
Ok then is it solved?
I need to look at some good code, need an example.
:ferrisCluelesser:
Man, just make it work first
Then you can organize later
I'll try.
I'll write it up later
Good luck
:_Worry_Gone:
:worryThumbs: