@@sohailkashif6992 a common cope I would get hit with in boot camp was, "Depends on your use case" Which it actually does. Having a hard time understanding the relationship between a user of the database And A user that is using the site.
7:11 Th res.Status Should be 401 Not 403 401 Means Unauthorized , Forbidden Mean He is Sign Up But he doesn't have the permission to access to the given operation. Thank You btw !
I believe you mixed up the status codes a bit. 401 Unauthorized - send this code when the user is not authorized to view the content (as in the user didn't login) 403 Forbidden - send this code when the user is logged in, but is not allowed to view specific content The difference between these status codes is that 401 should be sent if authorization fails, but proper authorization is possible while 403 is sent when the user is authorized, but doesn't have the required permissions.
are you sure? authentication means verifying identity. It gets confusing because the header used to authenticate is called 'authorization' but it is still authentication and 401. authorization means verifying permissions which is 403
@@cheetahBeachwood Yes, he's correct. The title of the status code is a bit messed up, should probably have been "Unauthenticated" instead, it generates a lot of confusion.
Yay!!!!!!!!!!!!!!!!!!! So awesome!!! Thank you !!!! I was just thinking about this because I been following your other tutorials and I love them. I am excited to watch this video.
I've got a permission system where the permissions are strings like "mail.create" or "mail.*". Each user has an array of permissions, and the permission strings are referenced in a POJO that maps object keys to permission names. So if you have an endpoint that should be accessible to anyone with a mail permission, you call `hasAnyPermission(req.user, Permissions.mail)` where Permissions.mail is an object containing more fine-grained permissions, and that endpoint would be accessible to anybody with a "mail.(whatever)" permission. "*" is a wildcard that refers to all sub-permissions, so if someone has the permission "*" then they're a superuser, and if they have the permission "boards.*" then they can do anything on any image board. There are some functions, like `hasAnyPermission` or `hasPermission` that you stick at the beginning of your route handler to enforce the permissions. Of course you don't have to put them at the beginning of your route handler - the entire frontend of the app is handlebars so I also use them on specific pages where I want to display some items/links but each link requires a separate permission. I'm actually pretty surprised that I've made it this far using only handlebars and plain JS for the frontend. The backend is NodeJS with Typescript which is great but I've managed to write a multiplayer FPS almost entirely in plain JS (server-side is that typescript nodejs I just mentioned) and build a forum engine and now I've set up a mail server and a way for users to create and manage email addresses on my domain. handlebars may not be flashy but damn if I like it
It would be awesome if you could create like a mini blog[or anything] with react & express that uses user-based roles. I'm trying to add user based rules to my react app :p
please make a complete node course for beginners to intermediate level and an advanced node course too. We are ready to buy it. Please vote if u guys need it too.
Great content. Would love to see an elaborated version of this with more of a real world scenarios where an user can have multiple role for different context.
@@WebDevSimplified I feel that will create some problem. Let me explain with your example. Say I introduce two new roles project viewer and project admin. Now one user can be project viewer for one project and project admin for another. If I model my user to have an array of roles then how do I keep track of which project he is an admin of.
@@smsibasish I think you can simply tie the role to the project, meaning your DB entry can look like this: Projects: [ { id:1, name:"first project", userId: 1, userRole: canView}, ... ] then you check for the user's role with its id to distinguish between what can be viewed and what can be edited, deleted or updated but what case should require something like that?
@@mrviometal4948 consider this example. A user can be part of many groups and a group may contain a few user. A user can be a admin of few groups but member of other groups. In that case what should be the role of the user in User model and should the Group model have the admin and member fields separately.
@@smsibasish I see, I think it can be solved by an abstraction between admin and view. i.e. any admin can view, but not any viewer can be an admin. And so, the edit and delete have to be from an admin or the respective user of the project. But the project entries can contain an array of users who can view...i.e. => Projects: [ { id:1, name:"first project", userId: 1, usersWhoCanView: [2,3,4,5...]}, ... ] so in the implementation of the can view, we can look up the array if it contains the signed-in user's id. In this case, those who can view are (Admins, People who create the project i.e. userId, and any user in the array) Does that make sense?
You could have a super admin that would have the ability to delete any project. If an employee is no longer working for the company, you might want to have someone either delete that employee's project or reassign them to another user to complete.
Thanks for the great tutorial. In the end, I'm just wondering (if we work with real data obtained from the database), what is the best way to filter the data (in this case the scopedProjects function). If we have a lot of data, in this case we need to fetch all of them and then filter them. Isn't it better (in terms of performance) to check the role first and then pull only specific (filtered on db query level) data from the database?
mmh, i think there is some confusion between permissions and actually filtering the correct data. One thing is permission based on levels (the higher level, the higher the privilege to see things), and one things is to filter the correct projects for the user. wouldn't that be a filter applied at DAO level which returns the right data rather than crammining into the permissions? Permission after all should be agnostic to the kind of data you are handling, and should worry only about roles . correct me if I am wrong?
Roles are ok, but they need to be predefined and are somewhat rigid. Most systems need a level of granularity. Roles can be defined as sets of keys/tokens/ids in an array. Each permission is a GUID or some uniquely identifiable string or number. Instead of role === "SOME ROLE", you use permissions.includes("SOME PERMISSION") This can also be upgraded later to use a database table. You can have per-user permissions on just about anything in a system. You can even assign capabilities after certain tasks are completed, such as verifying an email address (now the user can create more than 3 projects) or hitting a certain threshold of positive feedback/likes (now a user is a community moderator). Variable levels of subscription billing. Pre-requisites in courseware, etc. No need to store this information as special user data. If it's something a user can do, make a key for it, and put it into this array. If the user can't do it. Take it out. Simple, flexible. You end up with the flexibility you'll need for an app to work in an enterprise environment.
Thanks a lot ! great video ! Please how can i protect my front-end routes using those APIs ? For example, when users login, the Admin would have route to the admin page but normal users not ? is it secure to check roles in the front-end ?
You dont view anything in the browser? I'm using the ejs view engine and am having problems getting the ._id from mongodb to verify that the user is the owner of a post. I cannot find a work around. Maybe this would do it 🤔
Hi can you make a video for multiple type accounts using mern stack , for example there are two types of users regular users, product manufacturers, from which we will take different information from both of them. But we need to allow them to login from same page. Is it possible ?
surely on signup you wouldnt have a choice of role, so how would you assign the ADMIN role other than everyone is BASIC. would this be done in the backend?
Legend! Love the way you clearly explain these concepts in a simple way. Cheers bro. You are on my recommended channel list on my YT
i recommend you both on mine
Legend praising another legend
This comment section is pretty legendary
Ok
Man I wonder if Kyle actually realises how much he helps us out with his vids man
Respect man
React kids won't understand u...
@@MrEnsiferum77 реакт тут причем?
pretty much exactly the video I needed for a project. My man web dev simplified is a legend.
You get it m8
@@cdporgrammer7168 dear how it connect with mongodb?
Very true.
He is one of the few "bigger" code UA-camrs that has beneficial stuff I've used in real projects
@@sohailkashif6992 a common cope I would get hit with in boot camp was,
"Depends on your use case"
Which it actually does.
Having a hard time understanding the relationship between a user of the database
And
A user that is using the site.
this dude is literally a mentor
You're simply the best out there because you explain your content very well and you go straight to the point, respect man you're a legend !
7:11 Th res.Status Should be 401 Not 403
401 Means Unauthorized , Forbidden Mean He is Sign Up But he doesn't have the permission to access to the given operation.
Thank You btw !
kakashi hatake😍😍
Before watching this video, I was creating separate documents for admin and user. Thank you for such a clear explanation tutorial.
I did that and submited lol. Had to pay for that in viva.
This video is so motivating since I was taking a break from programming bc of authentication and authorization. Thank you so much!
Kayel your videos are greate for intermediat developers. Clear and simple explanations. Have been following you. You are recommended.
*Kyle
*great
*intermediate
I always keep telling everyone to subscribe to your channel. you're really great really hoping people would recognize you more often.
Never happier when any youtuber uploads
I believe you mixed up the status codes a bit.
401 Unauthorized - send this code when the user is not authorized to view the content (as in the user didn't login)
403 Forbidden - send this code when the user is logged in, but is not allowed to view specific content
The difference between these status codes is that 401 should be sent if authorization fails, but proper authorization is possible while 403 is sent when the user is authorized, but doesn't have the required permissions.
are you sure?
authentication means verifying identity. It gets confusing because the header used to authenticate is called 'authorization' but it is still authentication and 401.
authorization means verifying permissions which is 403
I agree... 401 is for unauthorized (not logged in) and 403 is forbidden (resource authorization)
@@cheetahBeachwood Yes, he's correct. The title of the status code is a bit messed up, should probably have been "Unauthenticated" instead, it generates a lot of confusion.
@Jovan Jevtic jovaneeeee
Currently I'm learning MEAN and this is exactly what I need for my pet project. Thank you so much for what you're doing!
Awesome video. Concept of modularity with pure functions make this truly scalable.
such a clear explanation, thank you!
My name is Kyle and my job is to simplify the web for you!
Your tutorials are always gre8!
Yay!!!!!!!!!!!!!!!!!!! So awesome!!! Thank you !!!! I was just thinking about this because I been following your other tutorials and I love them. I am excited to watch this video.
You've Successfully Simplified Web For Us. Mission Accomplished 😎
Thanks so much for this. One of the better Node tutorials I've seen.
Awesome, helped me with some of my lingering middleware integration ignorance. Well explained!
OMG! thank you. I believe in Web Dev Simplified supremacy!!!!!
Awesome. You are the best. I wonder who could be so unfair to dislike it?
Every time I get stuck in something and try to solve a problem by myself. I'm always ended up on your video finding a solution
Literally god tier content
Kyle ... One Word: Genius
Your tutorials are top notch Kyle!
Your video help me too much thanks 🙏
This is the best video about role based authentication...Thanks
you explain things so simply....easy to follow.....
Love the progression in this video. Super clear
I would recommend to assign every role an int so you can calculate up and downwards !
Edit: To calculate the inheritance of the groups if given!
Why ? explain briefly please..
@@montasirmahmud3585 Then you can just use bit calculations to check if a role is hierarchically over another role or not by for example using >=
Nice. Introductory tutorial on how to manage user roles.
Kyle ... great tutorial ... very glad I found your channel! Thank you.
I've got a permission system where the permissions are strings like "mail.create" or "mail.*". Each user has an array of permissions, and the permission strings are referenced in a POJO that maps object keys to permission names. So if you have an endpoint that should be accessible to anyone with a mail permission, you call `hasAnyPermission(req.user, Permissions.mail)` where Permissions.mail is an object containing more fine-grained permissions, and that endpoint would be accessible to anybody with a "mail.(whatever)" permission. "*" is a wildcard that refers to all sub-permissions, so if someone has the permission "*" then they're a superuser, and if they have the permission "boards.*" then they can do anything on any image board. There are some functions, like `hasAnyPermission` or `hasPermission` that you stick at the beginning of your route handler to enforce the permissions.
Of course you don't have to put them at the beginning of your route handler - the entire frontend of the app is handlebars so I also use them on specific pages where I want to display some items/links but each link requires a separate permission. I'm actually pretty surprised that I've made it this far using only handlebars and plain JS for the frontend. The backend is NodeJS with Typescript which is great but I've managed to write a multiplayer FPS almost entirely in plain JS (server-side is that typescript nodejs I just mentioned) and build a forum engine and now I've set up a mail server and a way for users to create and manage email addresses on my domain. handlebars may not be flashy but damn if I like it
Just found your channel, loving it so far.
Just want to say thankyou man. Words are short here.
As usual, great video - clear, concise and immediately usable. Thanks!
Your video helps me a lot. I really appreciate your effort.
Thank you so much!
Thank you very much. This video... no, all your videos I watched are amazing and helpfull!
Very good explained , Love from India.
Exactly the video I needed. Thanks man.
YOU ARE AWESOME thankyou for putting great content, with fast but effective and SIMPLE :)
Thank you very much! This is exactly what I needed for my project!
Enjoyed the turotial throughly!
20:31 does it make sense in practice ? I'm pretty sure an admin should have right to delete any project
best teacher ever
very clear, it’s helpful in my project. Thanks a lot
This video came in the perfect time. Thank you!
It would be awesome if you could create like a mini blog[or anything] with react & express that uses user-based roles. I'm trying to add user based rules to my react app :p
Thank you so much Kyle. I found this very helpful.
too good. I did a version in typescript but followed your flows. Thanks
Thank you for such an amazing tutorial!
please make a complete node course for beginners to intermediate level and an advanced node course too. We are ready to buy it. Please vote if u guys need it too.
This is what i want , u are awesome sir 🤘🤘🤘
YOu are amazing... Really simplified complex things
So accurate with the name web dev SIMPLIFIED
Great content. Would love to see an elaborated version of this with more of a real world scenarios where an user can have multiple role for different context.
Really all you need to do is make the user.role property an array and then check if the role is in the array or not.
@@WebDevSimplified I feel that will create some problem. Let me explain with your example. Say I introduce two new roles project viewer and project admin. Now one user can be project viewer for one project and project admin for another. If I model my user to have an array of roles then how do I keep track of which project he is an admin of.
@@smsibasish I think you can simply tie the role to the project, meaning your DB entry can look like this:
Projects: [
{ id:1, name:"first project", userId: 1, userRole: canView},
...
]
then you check for the user's role with its id to distinguish between what can be viewed and what can be edited, deleted or updated
but what case should require something like that?
@@mrviometal4948 consider this example. A user can be part of many groups and a group may contain a few user. A user can be a admin of few groups but member of other groups. In that case what should be the role of the user in User model and should the Group model have the admin and member fields separately.
@@smsibasish I see, I think it can be solved by an abstraction between admin and view. i.e. any admin can view, but not any viewer can be an admin. And so, the edit and delete have to be from an admin or the respective user of the project. But the project entries can contain an array of users who can view...i.e. =>
Projects: [
{ id:1, name:"first project", userId: 1, usersWhoCanView: [2,3,4,5...]},
...
]
so in the implementation of the can view, we can look up the array if it contains the signed-in user's id. In this case, those who can view are (Admins, People who create the project i.e. userId, and any user in the array)
Does that make sense?
Nice one - Just for the sake of DRY : scopedProjects = (user, projects) => projects.filter(project => canViewProject(user, project))
Really amazing explanation!
Thanks for sharing, it is nice and easy to follow which is a massive help.
Thank you so much for the tutorial video it's quite informative and professional
Great content. Gives motivation to keep our channel going.
THANK YOUUUUUUUUUUU!!!!!! I finally understand this.
wow! such a great tutorial. thanks for the guide!
I added this video to my Gold Collection
I love you and PedroTech, both kinda feel alike to me
The best educational videos
You could have a super admin that would have the ability to delete any project. If an employee is no longer working for the company, you might want to have someone either delete that employee's project or reassign them to another user to complete.
exactly what i was looking for
Thanks for the great tutorial. In the end, I'm just wondering (if we work with real data obtained from the database), what is the best way to filter the data (in this case the scopedProjects function).
If we have a lot of data, in this case we need to fetch all of them and then filter them. Isn't it better (in terms of performance) to check the role first and then pull only specific (filtered on db query level) data from the database?
Perfect. Very nicely done
that was a great video thankyou so much!
Thank you. This was a great learing experience.
Great layout of material.
Found what I am looking for thanks.
Hey Kayle please do video on Gulp, Grunt, webpack and parcel & when to choose which tool
Great content, very helpful, thanks lots
I was just about to look for this information
Great video. I just think one small refactor is to use the canViewProject function inside your filter for scopedProjects
Thank you very much , as always easy explanations.
Please add how to protect the server from attacks like ddos and brute force attack.
You're my boss ❤
Thank you for this video!
great video bro, please do a MERN project like this with frontend
Kyle to webcam: Focus on my hair not the content
mmh, i think there is some confusion between permissions and actually filtering the correct data. One thing is permission based on levels (the higher level, the higher the privilege to see things), and one things is to filter the correct projects for the user. wouldn't that be a filter applied at DAO level which returns the right data rather than crammining into the permissions?
Permission after all should be agnostic to the kind of data you are handling, and should worry only about roles . correct me if I am wrong?
Roles are ok, but they need to be predefined and are somewhat rigid. Most systems need a level of granularity.
Roles can be defined as sets of keys/tokens/ids in an array. Each permission is a GUID or some uniquely identifiable string or number.
Instead of role === "SOME ROLE", you use permissions.includes("SOME PERMISSION")
This can also be upgraded later to use a database table. You can have per-user permissions on just about anything in a system. You can even assign capabilities after certain tasks are completed, such as verifying an email address (now the user can create more than 3 projects) or hitting a certain threshold of positive feedback/likes (now a user is a community moderator). Variable levels of subscription billing. Pre-requisites in courseware, etc. No need to store this information as special user data.
If it's something a user can do, make a key for it, and put it into this array. If the user can't do it. Take it out. Simple, flexible.
You end up with the flexibility you'll need for an app to work in an enterprise environment.
i was thinking of the same, thanks
I like your teaching style and I got correct concept from you when I search. can you upload videos with hindi dubbing? is it possible.
Thanks a lot ! great video !
Please how can i protect my front-end routes using those APIs ?
For example, when users login, the Admin would have route to the admin page but normal users not ? is it secure to check roles in the front-end ?
Awesome video !!!
Thank you, Kyle.
great as usual
Nicely explained
More tutorials please!
You are so great.can you tell me what is your main job besides youtube?
I am a fullstack web developer consultant.
If someone knows someone else's userId there could be problems. How do we make sure someone cant modify userId in the request?
This is the question that worries me as well
use jwt short lived token
Awesome video
You dont view anything in the browser? I'm using the ejs view engine and am having problems getting the ._id from mongodb to verify that the user is the owner of a post. I cannot find a work around. Maybe this would do it 🤔
Hi can you make a video for multiple type accounts using mern stack , for example there are two types of users regular users, product manufacturers, from which we will take different information from both of them. But we need to allow them to login from same page. Is it possible ?
surely on signup you wouldnt have a choice of role, so how would you assign the ADMIN role other than everyone is BASIC. would this be done in the backend?
hlo can u tell me how to compile and run this application ?
great video though, would that be useful for a management systems as well?
thanks for this man