00:00 In this exercise, we're going to talk about Role-Based Access Control or RBAC. I'm not sure if that's how you say it, but that's how I say it, RBAC. And so it's easiest to visualize this from the data perspective, and then we can talk about other things. So we've got our users, and users can have, in an RBAC situation,

00:19 users can have multiple roles. So this could be like admin role, user role, a marketing team role. There are all kinds of different personas that you think about. And then roles have permissions. There's a big reason why we have this separation between user and permission. And that reason is,

00:37 if you just attach permissions to a bunch of users, then later you decide, oh, you know what, we need to make it so users can't delete their own images anymore for some reason. Or maybe it's, yeah, who knows? There are all sorts of reasons, like regulations and different things that you might have to conform to.

00:56 And so you can either have a big migration story that you have to figure out, okay, I've got to fix all the users' roles, or all the users' permissions. Or if you attach permissions to roles, then that becomes a lot easier. You say, oh, all these users have the user role, and now they no longer have permission to delete their images, or whatever.

01:15 So by structuring things in this way, it just makes it a lot easier to manage these types of different user personas. And so in this exercise, we're going to be adding a user role and an admin role, but there are lots of different kinds of roles. And as your application grows,

01:34 and especially when the complexity of the roles, role management is increased, then adding some sort of dashboard for admins to be able to control permissions on a per-role basis, and even look at all the users and add different roles can be quite useful. If you want to look at something that's very complex,

01:52 as far as roles and permissions are concerned, then take a look at Discord. And Discord has their idea of the different roles or that users can be assigned to, and that gives them different levels of permissions. That's exactly the type of thing that we're talking about here.

02:11 So yeah, if you have never seen that, you could just go Google a YouTube video of that, or look at, create a new server of your own and explore that to dive really deep into this. We're gonna be doing just enough to expose you to the idea

02:29 by allowing admin users to delete other users' notes, and then protecting it against unauthenticated users and users who don't have the admin role. In addition, we're also going to have some UI utilities so that we don't even display the option to do something that you're not allowed to do. So you gotta do both of those.

02:50 In the action portion, you wanna make sure that people can actually do the thing that they're not allowed to do. And then in the loader portion or in the UI, you're gonna just say, that's for the user experience. Like you don't wanna display something that will result in an error for a user, like an unauthorized error.

03:08 So that's what we're gonna be doing in this exercise. It's quite a bit, but I think you're gonna enjoy it. It's pretty interesting little problem and important for many, many apps. So, and also we're gonna get into a many-to-many relationship here. We got one role can be assigned to multiple users. User can have multiple roles.

03:26 Permissions can be assigned to multiple roles and roles can have multiple permissions. So we got some many-to-many stuff going on here too. That'll be fun. So have a good time with this one and we'll see you in the exercises.