Role-Based Access Control (RBAC) in Node.js: Beyond Simple Admin Checks

Role-Based Access Control (RBAC) in Node.js: Beyond Simple Admin Checks Most apps start with if (user.role === "admin") . That works until you need editors who can publish but not delete, moderators who can ban but not edit billing, and viewers who can read but not export. Define Permissions, Not Roles const PERMISSIONS = { " articles:read " : true , " articles:write " : true , " articles:delete " : true , " articles:publish " : true , " users:read " : true , " users:manage " : true , " billing:read " : true , " billing:manage " : true , } as const ; type Permission = keyof typeof PERMISSIONS ; interface Role { name : string ; permissions : Permission []; } const ROLES : Record < string , Role > = { viewer : { name : " Viewer " , permissions : [ " articles:read " , " users:read " ] }, editor : { name : " Editor " , permissions : [ " articles:read " , " articles:write " , " articles:publish " , " users:read " ] }, admin : { name : " Admin " , permissions : [ " articles:read " , " articl