⚛️ React Q91 / 113

How to implement role-based access in React?

AI-Powered Answer ✓ Answered

Role-Based Access Control (RBAC) is a method of restricting system access to authorized users based on their assigned roles. In a React application, implementing RBAC typically involves client-side checks backed by a robust server-side authorization system. This guide will walk you through the common patterns and techniques to achieve this.

Understanding Role-Based Access Control (RBAC)

Role-based access control (RBAC) is an approach to restrict system access to authorized users. It ensures that users only have access to the information and functions necessary to perform their job. In RBAC, permissions are assigned to roles, and users are assigned to roles. This simplifies management compared to assigning permissions directly to users.

Core Concepts

  • Roles: Collections of permissions that can be assigned to users (e.g., 'Admin', 'Editor', 'Viewer').
  • Permissions: Specific actions a user can perform (e.g., 'create_post', 'edit_post', 'delete_post', 'view_dashboard').
  • Users: Individuals who interact with the application and are assigned one or more roles.
  • Resources: The entities or features within the application that require protection (e.g., a specific route, a button, an API endpoint).

Implementation Steps

1. Define Roles and Permissions

Start by clearly defining the roles in your application and the permissions associated with each role. This data is usually managed on the backend but can be represented on the client for conditional UI rendering.

javascript 
const ROLES = {
  ADMIN: 'admin',
  EDITOR: 'editor',
  VIEWER: 'viewer',
};

const PERMISSIONS = {
  'admin': ['create_post', 'edit_post', 'delete_post', 'view_dashboard', 'manage_users'],
  'editor': ['create_post', 'edit_post', 'view_dashboard'],
  'viewer': ['view_dashboard'],
};

2. User Authentication and Role Assignment

When a user logs in, your authentication system (e.g., JWT, OAuth) should return their assigned roles (and ideally, their specific permissions) along with their authentication token. Store this information securely (e.g., in localStorage or sessionStorage for tokens, and in a global state for roles/permissions).

3. Context API for Global State

Use React's Context API to make the authenticated user's roles and permissions globally accessible throughout your application. This avoids prop-drilling.

javascript 
// AuthContext.js
import React, { createContext, useContext, useState, useEffect } from 'react';

const AuthContext = createContext(null);

export const AuthProvider = ({ children }) => {
  const [user, setUser] = useState(null); // { id, username, roles, permissions }

  useEffect(() => {
    // In a real app, fetch user data and roles/permissions from API
    // or parse from JWT after login
    const storedUser = JSON.parse(localStorage.getItem('currentUser'));
    if (storedUser) {
      setUser(storedUser);
    }
  }, []);

  const login = (userData) => {
    setUser(userData);
    localStorage.setItem('currentUser', JSON.stringify(userData));
    // Also store token
  };

  const logout = () => {
    setUser(null);
    localStorage.removeItem('currentUser');
    // Remove token
  };

  const hasPermission = (permission) => {
    return user?.permissions?.includes(permission) || false;
  };

  const hasRole = (role) => {
    return user?.roles?.includes(role) || false;
  };

  return (
    <AuthContext.Provider value={{ user, login, logout, hasPermission, hasRole }}>
      {children}
    </AuthContext.Provider>
  );
};

export const useAuth = () => useContext(AuthContext);

4. HOC, Render Props, or Custom Hook for Component Protection

To protect routes or components, you can use Higher-Order Components (HOCs), Render Props, or, more commonly in modern React, custom hooks.

Using a Higher-Order Component (HOC)

An HOC wraps a component and injects props or renders conditionally based on roles/permissions.

javascript 
// withAuthorization.js
import React from 'react';
import { useAuth } from './AuthContext';
import { Navigate } from 'react-router-dom'; // Assuming React Router

const withAuthorization = (AllowedPermissions) => (WrappedComponent) => {
  return (props) => {
    const { hasPermission, user } = useAuth();

    if (!user) {
      return <Navigate to="/login" replace />;
    }

    const authorized = AllowedPermissions.some(permission => hasPermission(permission));

    if (!authorized) {
      return <div>Access Denied</div>; // Or navigate to an unauthorized page
    }

    return <WrappedComponent {...props} />;
  };
};

export default withAuthorization;

// Usage example in a component file:
// const AdminDashboard = () => { /* ... */ };
// export default withAuthorization(['view_dashboard', 'manage_users'])(AdminDashboard);

Using a Custom Hook (Recommended)

Custom hooks offer a cleaner, more flexible way to encapsulate logic for permission checks.

javascript 
// useAuthorize.js
import { useAuth } from './AuthContext';
import { Navigate } from 'react-router-dom';

const useAuthorize = (requiredPermissions) => {
  const { user, hasPermission } = useAuth();

  if (!user) {
    // Not authenticated
    return { authorized: false, redirectTo: '/login' };
  }

  const authorized = requiredPermissions.some(permission => hasPermission(permission));

  if (!authorized) {
    // Authenticated but not authorized
    return { authorized: false, redirectTo: '/unauthorized' };
  }

  // Authenticated and authorized
  return { authorized: true };
};

export default useAuthorize;

// Usage example in a component or route:
// import useAuthorize from './useAuthorize';
// const AdminPage = () => {
//   const { authorized, redirectTo } = useAuthorize(['view_dashboard', 'manage_users']);
//
//   if (redirectTo) {
//     return <Navigate to={redirectTo} replace />;
//   }
//
//   if (!authorized) {
//     return <div>Loading... or generic access denied if redirectTo is null for some reason</div>;
//   }
//
//   return (
//     <div>
//       <h1>Admin Dashboard</h1>
//       {/* Admin specific content */}
//     </div>
//   );
// };

5. Backend Integration

Client-side RBAC is primarily for UI rendering. Crucially, all access control decisions for sensitive operations must be enforced on the backend. When a user tries to perform an action (e.g., create a post, delete a user), the backend API should verify their roles and permissions against the database before processing the request. The client sends the token, and the backend decodes it to retrieve user roles/permissions for server-side validation.

6. Displaying UI based on Roles/Permissions

For showing or hiding specific UI elements (buttons, navigation links, entire sections), you can directly use the hasPermission or hasRole functions from your AuthContext.

javascript 
import React from 'react';
import { useAuth } from './AuthContext';

const Dashboard = () => {
  const { user, hasPermission } = useAuth();

  if (!user) {
    return <p>Please log in.</p>;
  }

  return (
    <div>
      <h2>Welcome, {user.username}!</h2>
      {hasPermission('view_dashboard') && (
        <p>This is your dashboard content.</p>
      )}

      {hasPermission('create_post') && (
        <button>Create New Post</button>
      )}

      {hasPermission('manage_users') && (
        <button>Manage Users</button>
      )}

      {!hasPermission('create_post') && !hasPermission('manage_users') && (
        <p>You have limited access features.</p>
      )}
    </div>
  );
};

export default Dashboard;

Implementing role-based access in React involves a combination of global state management, client-side logical checks, and crucially, robust server-side enforcement. By following these steps, you can create a secure and flexible authorization system for your React application. Remember that client-side authorization is primarily for user experience, while server-side authorization is for security.

← All React questions