AllBengal
By Sahidur Pub Feb 20

Part 8: Who Can Write What — Permissions and Access Control

A simple explanation of how I control who can write, edit, and delete blog posts.

Dev Diaries
Part 8: Who Can Write What — Permissions and Access Control

The Problem: Not Everyone Should Be a Writer

Imagine a newspaper office. Not everyone who walks in can write articles:

  • Reporters: Can write and edit articles
  • Editors: Can write, edit, and approve articles
  • Interns: Can write, but editors must approve before publishing
  • Readers: Can only read the paper

You need rules about who can do what.

The Solution: Permissions

A permission is a rule that says: "If you have this role, you can do that action."

AllBengal has four main permission levels:

Permission Levels

1. Super Admin

Email address is in the SUPER_ADMIN_EMAILS list.

  • ✅ Write posts
  • ✅ Edit any post
  • ✅ Delete any post
  • ✅ Manage users
  • ✅ Change permissions
  • ✅ Access analytics

This is usually just you (the blog owner).

2. Section Admin

Has the admin permission for one or more sections.

  • ✅ Write posts in their section
  • ✅ Edit posts in their section
  • ✅ Delete posts in their section
  • ✅ Manage permissions for users in their section

Example: You hire someone to manage the "Technology" section. They can edit all tech posts.

3. Writer

Has the write permission for one or more sections.

  • ✅ Write posts in their section
  • ✅ Edit their own posts
  • ❌ Delete posts
  • ❌ Manage permissions

Example: A guest blogger can write posts but can't delete them.

4. Reader

Has no special permissions.

  • ✅ Read all published posts
  • ❌ Write posts
  • ❌ Edit posts
  • ❌ Delete posts

This is everyone else.

How It Works Behind the Scenes

The Permission Table

AllBengal stores permissions in a database table:

user_id section permission
123 technology write
123 lifestyle admin
456 technology admin
789 lifestyle write

This means:

  • User 123: Can write in "Technology", can admin "Lifestyle"
  • User 456: Can admin "Technology"
  • User 789: Can write in "Lifestyle"

Checking Permissions

When you try to do something, the system checks:

You try to publish a post in "Technology"
↓
System checks: "Do I have a token? Who is this user?"
↓
System looks up: User 123
↓
System checks: "Does user 123 have permission to write in 'Technology'?"
↓
Database lookup finds: Yes, user 123 has 'write' permission
↓
Action allowed: Post published ✓

If Permission Denied

User 789 (writer) tries to delete a post
↓
System checks: "Do I have 'delete' permission?"
↓
Database says: No, you have 'write', not 'delete'
↓
System denies: "You don't have permission to delete posts"
↓
Error 403: Forbidden

Real-World Examples

Example 1: Solo Blogger (You)

Your email: you@example.com

You're listed as super admin:

SUPER_ADMIN_EMAILS = ["you@example.com"]

You can do everything. Simple!

Example 2: Multi-Author Blog

Your email: you@example.com (super admin)
Your friend's email: friend@example.com (section admin for "Reviews")

Result:

  • You can write in any section
  • Your friend can only manage "Reviews" posts
  • But they can't write in "Technology" or delete your posts

Example 3: Guest Blogger

A guest blogger visits: guest@example.com

Result:

  • Guest can write in the "Guest Posts" section
  • Can't edit posts once submitted
  • Can't delete anything
  • Can't see analytics or admin features

Sections: Organizing Posts

Think of "sections" like categories in a newspaper:

  • Technology
  • Lifestyle
  • Travel
  • Business
  • Reviews

You can set permissions per section. Someone can be a writer in "Travel" but an admin in "Reviews".

Protection: Checking Every Action

The system doesn't trust the frontend. It checks permissions on every action:

User tries to delete a post via the UI
↓
Frontend says to backend: "Delete post 789"
↓
Backend checks: "Is this user logged in? Do they have permission?"
↓
If no: "403 Forbidden" (even if they hacked the UI)

It's like checking ID at the door AND at the bar AND at the VIP section — redundancy for safety.

Default Permissions

New users don't have any permissions by default:

User 999 joins AllBengal
↓
Permissions lookup: No row found
↓
Default: Reader only
↓
User can only view published posts

You have to explicitly give permissions. Safe default!

The Bottom Line

Permissions work like:

  • ✅ Super admin: Can do everything
  • ✅ Section admin: Can manage one section
  • ✅ Writers: Can write but not delete
  • ✅ Readers: Can only read
  • ✅ Checked on every action for safety

Multi-author blog dream? Drop a comment below!

Tags

#permissions#how-it-works#access-control

Analytics

Unique visitors

0

Visits

0

Reactions

0

💬 Comments (0)

No comments yet.

💌 Share Your Opinion With Us

Email Facebook Telegram

📖 Read More Articles

Explore more articles and discover interesting stories from our blog.

View All Articles →