Permissions
LaunchFast uses Role-Based Access Control (RBAC). Each user has roles, and each role has permissions. A user's effective permissions are the union of all their role permissions, with the more permissive option taking precedence.
Default roles
The development seed creates two roles with sensible defaults:
user— standard user with own-resource permissionsadmin— elevated permissions including access to any resource
Permission format
Permissions follow the pattern action:entity:access. The default seed includes create, read, update, and delete actions for the user entity with own and any access levels.
| Segment | Description | Examples |
|---|---|---|
action | What operation | create, read, update, delete |
entity | What resource | user, note |
access | Whose resources | own, any |
Server-side checks
Use the server-side utilities in loaders and actions to enforce permissions:
// Throws 403 if the user lacks the permission
const user = await requireUserWithPermission(
request,
'delete:user:any',
)
// Throws 403 if the user doesn't have the role
const admin = await requireUserWithRole(request, 'admin')UI checks
For conditionally rendering UI based on permissions:
const user = useUser()
const canEdit = userHasPermission(user, 'update:note:own')
const isAdmin = userHasRole(user, 'admin')Managing roles
There is currently no built-in UI for managing permissions. Use Prisma Studio to create and assign roles and permissions during development. For production, seed roles via prisma/seed.ts.
Related
- Email and password authentication — how users sign up and log in
- Database — Prisma schema and seeding