This documentation is for a legacy version of Next.js and Supabase. For the latest version, please visit the Next.js and Supabase V2 documentation

Managing User Permissions

Learn how to write a simple permissions system based on the users' role in your Makerkit applications

Most permissions are written in a single file at src/lib/organizations/permissions.ts.

Here, you can find some of the examples used in the boilerplate so that you can start writing your own.

Why are permissions written in a single file? Because it's easy to write inline logic and lose track of it. Therefore, we will write all the business logic within the same file and encapsulated as simple functions.

Let's take a look at a simple permission function in the boilerplate:

src/lib/organizations/permissions.ts
/**
*
* @param currentUserRole The current logged-in user
* @param targetUser The role of the target of the action
* @description Checks if a user can perform actions (such as update a role) of another user
* @name canUpdateUser
*/
export function canUpdateUser(
currentUserRole: MembershipRole,
targetUser: MembershipRole
) {
return currentUserRole > targetUser;
}

The function takes two parameters: the current user's role and the target user's role, and checks if the current user can update the target user's role (or anything).

Now, we can use the function above with the IfHasPermissions component to display or hide some parts of the application. This component automatically injects the current user's role, such as below:

<IfHasPermissions
condition={(currentUserRole) =>
canInviteUser(currentUserRole, targetUserRole)
}
>
<InviteUserComponent />
</IfHasPermissions>

The InviteUserComponent component will be displayed if the condition is truthy.

Otherwise, you can use these functions throughout the application on both the client and the server.