[Solved] Prevent non admin logged in into the admin page

I am creating an "admin page" which only "admin" or "moderator" can login. Since we can't query what is our current team from client SDK (I am using Web SDK), the only way I could think of to prevent other user advancing into the login is by calling a cloud function with specific execute access after calling createEmailSession , so whenever non-admin user login, it would be thrown off from the session

here's how I implemented it

TypeScript

async login(email, password) {
        let result = await account.createEmailSession(email, password)

        try{
            let barrier = await functions.createExecution("FUNCTION_WHICH_ONLY_ADMIN_CAN_EXECUTE_IT");
        }catch(ex){
            account.deleteSessions();
            throw(ex);
        }

        return result;
    }

What do you think about this implementation? Is it safe? Or are there any better way to check which users has "admin" role?

TL;DR

The user wants to prevent non-admin users from accessing the admin page. They discuss using a middleware and adding collection permissions to achieve this. They also consider checking the user's team membership, but find that it is not possible to query the current team using the Web SDK. Finally, they implement a solution where they call a cloud function with specific execute access after login to prevent non-admin users from continuing the session. They ask for feedback on this implementation.

What do you mean you can't query your current team?

why don't you create a team called "admins", then create "admin" memberships for the specific users. Then use the teams.listMemberships endpoint in the Web SDK to check if the user attempting to access the secret page is in the team, and handle accordingly

https://appwrite.io/docs/client/teams?sdk=web-default#teamsListMemberships

I didn't find a way for retrieving current user's team

so after login I have to fetch all admins users and compare the logged in user id whether it's one of those users?

I'm not really sure what you mean. The list teams API (https://appwrite.io/docs/client/teams?sdk=web-default#teamsList) gets the current users teams

oh wait. when you put it like that, it sounds like a bad way to do it.

yup this makes so much more sense

i didn't look at that endpoint

Oh! I get it! Thanks! I didn't see this endpoint! I thought list teams was listing all member of the team 😂

I think I'm going to put the login part to be like this

TypeScript

    async login(email, password) {
        let result = await account.createEmailSession(email, password);

        let userteams = await teams.list();
        if(userteams.teams.find(x => x.name == "Admin")) {
            return result;
        }else{
            await this.logout();
            return null;
        }

    }

Nice!

Definitely make sure any other API calls that typically run for admins will either fail or return no data just in case someone tweaks your code to skip that team check

Sure! I'll try to put some kind of middleware between each call for admin and also add collection permission to do so

[Solved] Prevent non admin logged in into the admin page

Reply to this thread by joining our Discord

Reply on Discord

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more

Recommended threads

Need support?

Join our Discord

Get premium support