-
Notifications
You must be signed in to change notification settings - Fork 1
4. Permission Flow
Collins Dada edited this page May 4, 2025
·
2 revisions
- User logs in (mocked for now).
- Frontend sends a POST request to the backend with the dashboard type they want to view.
- Backend uses the Permit.io SDK to check if the user is allowed.
- Based on the result, the frontend either renders the dashboard or blocks access.
[ User ] --> (Login / Page Load)
|
v
[ Frontend React Component ]
|
|-- POST /api/check-permission { userId, resource: 'admin-dashboard' }
|
v
[ Backend (server.js) ]
|
|-- permit.check(userId, 'view', 'admin-dashboard')
|
v
[ Permit.io PDP ]
|
|-- returns true / false
|
v
[ Backend Response ]
|
v
[ Frontend ]
|-- if permitted: render dashboard
|-- else: redirect / show access denied
Each dashboard page (e.g., AdminDashboard.jsx) has a check like:
useEffect(() => {
fetch('/api/check-permission', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ resource: 'admin-dashboard' }),
})
.then(res => res.json())
.then(data => {
if (!data.permitted) {
setAccessDenied(true);
}
});
}, []);If access is denied, you display a fallback:
if (accessDenied) {
return <h2>Access Denied</h2>;
}app.post('/api/check-permission', async (req, res) => {
const { resource } = req.body;
const userId = 'user2345'; // or grab from session
try {
const permitted = await permit.check(userId, 'view', resource);
res.json({ permitted });
} catch (error) {
res.status(500).json({ error: 'Internal Server Error' });
}
});admin-dashboardteacher-dashboardstudent-dashboard
These are defined in Permit.io's control panel under resources → actions → view.
- Replace
userIdinserver.jswith different mock users to simulate different roles. - Ensure Permit.io roles and policies match your expected logic.
- Add
console.log(resource, permitted)in backend for quick debugging.