RBAC done right across REST endpoints
Permissions are easy. Just give everyone admin. (This is a joke. Please do not. I can hear my old self screaming.)
1. The boolean that became a monster
It always starts innocently: isAdmin. One little boolean. Then you need editors, then viewers, then 'viewers who can also do this one thing on Tuesdays,' and now your auth logic is a Choose Your Own Adventure book with 400 endings.
Define roles early and centrally, before the booleans start dating each other and having more booleans.
2. Deny by default, like a good doorman
Every endpoint should assume the worst about whoever knocks. No role? No entry. The safest API is a pessimist. If you forget to grant access, the user is annoyed. If you forget to deny it, the user is in your database.
One is a support ticket. The other is a very bad week and possibly a meeting with words like 'incident.'
3. Make the rules readable by humans
If your permission logic needs a PhD and a quiet room to understand, future-you will route around it and create a security hole shaped exactly like your own laziness.
I keep roles obvious, decorators declarative, and the whole thing boring enough that a tired engineer can still get it right. Boring security is the best security.
