How do you set user types securely?

In an app with multiple user types, e.g. Editor, Viewer, Commenter, Admin, Buyer, Seller, how do you set a user type in a secure way?

If the user can change their own user type, then they could change it to “admin” or “editor” and then gain control they shouldn’t have.

But if they can’t change their own user type, then when they create their account, they can’t assign themselves to the correct user type, e.g. Buyer, and if they want to set themselves up as a Seller, they can’t do that either.

Is there a generally accepted practice for this?

Hi there, @brenton.strine… for the buyer vs. seller thing, I have seen it pretty much universally done through different sign up pages. So, if someone is a buyer, they sign up on a page that is specific to buyers, and you set their user type on the backend based on the fact that they signed up as a buyer. Same process for sellers, too.

With regard to roles like editor, viewer, commenter, and admin, I have seen that, again, almost universally done by setting a default role and then having a system admin assign a different role as necessary. So, basically, only someone with a role of Admin would have the ability to change user types, and there would be a process in place to facilitate those changes (i.e., maybe a user has to request edit permissions, and the request has to be approved by the admin). The bottom line, though, is you simply can’t give users the ability to change their own user type because that would pretty much defeat the main purpose of having those user types.

Anyway, just food for thought there, and I hope it helps.


1 Like

Thanks. Makes sense to have buyer/seller based on sign up, but then what if a seller later decides they want to buy, or a buyer later wants to sell?

I think that question depends heavily on the requirements of your app. It could be as simple as making the user sign up with a different account. You could also have a process within the app by which a user who is, say, a buyer can specify that they would also like to sell, and maybe you have a user type that covers both. So, you could change the user’s type to the type that covers both buying and selling, and you drive functionality off of that type. No shortage of ways to go on this one… it just depends on exactly what you want.

1 Like

This topic was automatically closed after 70 days. New replies are no longer allowed.