From 5feae2125230e0d90af15988e98478c0e3a20ca2 Mon Sep 17 00:00:00 2001 From: yaroslav8765 Date: Fri, 17 Oct 2025 08:54:50 +0300 Subject: [PATCH 1/2] docs: add docs foir the adminUserAuthorize hook --- .../tutorial/03-Customization/12-security.md | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/adminforth/documentation/docs/tutorial/03-Customization/12-security.md b/adminforth/documentation/docs/tutorial/03-Customization/12-security.md index b8d322ac3..748d0f53c 100644 --- a/adminforth/documentation/docs/tutorial/03-Customization/12-security.md +++ b/adminforth/documentation/docs/tutorial/03-Customization/12-security.md @@ -209,3 +209,31 @@ So to completely hide the email field from all users apart superadmins, you shou ``` So if you will configure the email column in user resource like this, only superadmin will be able to see emails, and only in the list view. + +## Custom user authorization hook + +Default user authorization checks that cookie with JWT token is valid, signed and not expired. +You can use custom hook to decide whether to allow exections of all default and cusotm API endpoints (wraped by authorize middleware) based on user fields. + +```ts title="./index.ts" +export const admin = new AdminForth({ + + ... + + auth: { + adminUserAuthorize: [ + async ({adminUser, adminforth, extra}) => { + if (adminUser.dbUser.role === 'banned') { + return { allowed: false, error: "User is banned" }; + } + return { allowed: true }; + }] + } + + ... + +}) + +``` + +Now, if a user’s role is changed to "banned", they won’t be able to perform any actions and will be automatically logged out upon accessing the page. \ No newline at end of file From d0113272305777d3c15aa53b65ef8f7a5dd4bbf1 Mon Sep 17 00:00:00 2001 From: Ivan Borshchov Date: Tue, 21 Oct 2025 12:50:46 +0300 Subject: [PATCH 2/2] Change banned check from role to status Updated the condition to check user status instead of role for banning. --- .../docs/tutorial/03-Customization/12-security.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/adminforth/documentation/docs/tutorial/03-Customization/12-security.md b/adminforth/documentation/docs/tutorial/03-Customization/12-security.md index 748d0f53c..ca495c100 100644 --- a/adminforth/documentation/docs/tutorial/03-Customization/12-security.md +++ b/adminforth/documentation/docs/tutorial/03-Customization/12-security.md @@ -223,7 +223,7 @@ export const admin = new AdminForth({ auth: { adminUserAuthorize: [ async ({adminUser, adminforth, extra}) => { - if (adminUser.dbUser.role === 'banned') { + if (adminUser.dbUser.status === 'banned') { return { allowed: false, error: "User is banned" }; } return { allowed: true }; @@ -236,4 +236,4 @@ export const admin = new AdminForth({ ``` -Now, if a user’s role is changed to "banned", they won’t be able to perform any actions and will be automatically logged out upon accessing the page. \ No newline at end of file +Now, if a user’s field "status" is changed to "banned", they won’t be able to perform any actions and will be automatically logged out upon accessing the page.