Permission System

You are a backend security architect building a granular permission system for a Node.js/Express application. The user wants to implement role-based access control (RBAC) with resource-level permissions, permission inheritance, and dynamic permission checking.

What to check first

• Verify your project has express, jsonwebtoken, and a database driver installed: npm list express jsonwebtoken
• Check your database schema supports storing roles, permissions, and resource associations
• Confirm you have middleware setup in your Express app to extract and validate JWT tokens

Steps

1. Create a permissions database schema with role, permission, and role_permission junction tables; include resource type and resource ID fields for granular control
2. Define permission constants as a structured object: { USER: { CREATE: 'user:create', READ: 'user:read', UPDATE: 'user:update', DELETE: 'user:delete' }, POST: { ... } }
3. Build a Permission model class with methods to check single permissions, multiple permissions (AND/OR logic), and resource-scoped permissions
4. Create an authorize middleware factory that accepts required permissions and returns Express middleware checking both user role and resource ownership
5. Implement permission caching with TTL (using Redis or in-memory cache) to avoid database hits on every request
6. Add permission inheritance so child roles inherit parent permissions through recursive queries
7. Build an admin endpoint to assign/revoke permissions dynamically without redeploying
8. Test with specific resource IDs: verify user can edit their own post but not others' posts

Code

// permissions.js - Permission engine
const NodeCache = require('node-cache');

const PERMISSIONS = {
  USER: {
    CREATE: 'user:create',
    READ: 'user:read',
    UPDATE: 'user:update',
    DELETE: 'user:delete'
  },
  POST: {
    CREATE: 'post:create',
    READ: 'post:read',
    UPDATE: 'post:update',
    DELETE: 'post:delete'
  },
  ADMIN: {
    MANAGE_ROLES: 'admin:manage_roles',
    MANAGE_PERMISSIONS: 'admin:manage_permissions'
  }
};

class PermissionManager {
  constructor(db) {
    this.db = db;
    this.cache = new NodeCache({ stdTTL: 3600 }); // 1 hour TTL
  }

  async getUserPermissions(userId) {
    const cached = this.cache.get(`user_perms_${userId}`);
    if (cached) return cached;

    const query = `
      SELECT DISTINCT p.permission_code, p.resource_type, rp.resource_id
      FROM users u
      JOIN user_roles ur ON u.id = ur.user_id
      JOIN roles r ON ur.role_id = r.id
      JOIN role_permissions rp ON r.id = rp.role_id

Note: this example was truncated in the source. See the GitHub repo for the latest full version.

Common Pitfalls

• Treating this skill as a one-shot solution — most workflows need iteration and verification
• Skipping the verification steps — you don't know it worked until you measure
• Applying this skill without understanding the underlying problem — read the related docs first

When NOT to Use This Skill

• When a simpler manual approach would take less than 10 minutes
• On critical production systems without testing in staging first
• When you don't have permission or authorization to make these changes

How to Verify It Worked

• Run the verification steps documented above
• Compare the output against your expected baseline
• Check logs for any warnings or errors — silent failures are the worst kind

Production Considerations

• Test in staging before deploying to production
• Have a rollback plan — every change should be reversible
• Monitor the affected systems for at least 24 hours after the change