Practice & Assessment
Test your understanding of Role-Based Access Control
Multiple Choice Questions
5A user with role 'editor' and permission 'post:update:own' tries to update a post owned by a different user. The server should return:
Why should Set be used instead of an Array for storing a role's permissions in a permission map?
An endpoint returns 403 when a resource does not exist. What vulnerability does this create?
A user submits POST /register with body { email, password, role: 'admin' }. What prevents privilege escalation here?
What is the main tradeoff of storing a user's role inside a JWT claim instead of doing a database lookup on each request?
Coding Challenges
1RBAC Permission System with Ownership Checks
Build an Express API with three roles: viewer (post:read), editor (post:read, post:create, post:update:own), admin (all permissions + post:delete:any). Implement an in-memory posts array with fields: id, title, authorId. Create routes: GET /posts (all roles), POST /posts (editor+), PUT /posts/:id (editor can update own, admin can update any), DELETE /posts/:id (admin only). Use requirePermission middleware and requireOwnerOrAdmin middleware. Return 401 if unauthenticated, 403 if unauthorized, 404 if post not found. Simulate req.user by reading a custom X-User-Id and X-User-Role header. Input: HTTP requests with user headers. Output: JSON data or error responses. Estimated time: 25-30 minutes.
Mini Project
Blog API with Full RBAC and JWT Auth
Build a REST API for a blog platform combining JWT auth (from module 2) with RBAC. Users have roles: viewer, editor, admin. Implement all auth endpoints (register, login with JWT, refresh). Posts have: id, title, body, authorId, published. Routes: GET /posts (all, viewers see only published), POST /posts (editors+), PUT /posts/:id (editors own posts, admins any), DELETE /posts/:id (admin only), POST /posts/:id/publish (admin only). Roles stored in DB (in-memory array) with Redis-cached lookup (simulate with a Map TTL). Admin-only POST /admin/users/:id/role to change a user's role (triggers cache invalidation). Protect against mass assignment in all write routes. Return consistent JSON error shapes throughout.