Identity role-based access

Hi! I’ve got Identity working well and am able to grant access based on Identity role (with a _redirects file). I’m trying to figure out if I can block/hide/redirect from a page for a group of users (with a role in Identity). Is there any way to do this? Do I have to add something to the netlify.toml file?

For example, I have something similar to this in the _redirects file, which works to give access to content for users with the role ‘paid’:
/content/* 200! Role=paid
/content/ /404.html 404

Is there any way I could block/redirect those same users (role=paid) from a particular page (which, in my case would be signup.html within the folder /signup/)? When these paid users sign in, I want to be sure if they visit the signup page they get redirected to a different page.

Or is there no easy way to do this and I have to create/call a function file from that signup page?

My website is flamboyant-joliot-d2e1a2


Hey @desidem

Have you seen the Redirect visitors based on roles documentation? It describes doing exactly what you a trying to do.

There are also functions which trigger on events including sign-up and login. Using the sign-up you can automatically assign a user a certain role (e.g. Paid, or free, or pro). Also check out this article

1 Like

Hi @coelmay
Thanks or taking a look. I have Identity set up and running and role-based access has been working for me. The issue for me is the ‘redirect visitors based on roles’ instruction helps with giving permission to access pages based on roles, but not restricting them based on roles (as far as I can tell). So, with a redirects file, I have been able to grant permission based on a role for particular folders/pages, and restrict everyone else (they get redirected to a 404.html page I set up). But, if I want to restrict a particular role from access to a particular page, I don’t think the redirects file is working. I experimented a bit, and haven’t been able to get those redirects working for excluding pages by role. They are working well for granting access by role.

I think it’s the nature of the redirect file. It redirects away from the designated folder/page, unless access is granted for the role. I’m trying to set it up so that users are redirected away only if they fall into a certain role while everyone else (including those without roles) are okay.

I hope that makes sense and I’m not missing something really simple. I think i’m going to have to check roles (using the token) on the page itself and direct away OR…

I think the netlify.toml file may be a possibility based on this linked post (though I’m not sure if using a redirects file plus the netlify .toml will work). There’s a response in the linked post that shows a TOML file with conditions (including a condition based on role).

Netlify.toml redirects not working
Thanks again for your input!

Take the example you provided @desidem

/content/* 200! Role=paid
/content/ /404.html 404

This both grants access, and restricts. It allows any user with the role paid access to anything inside /content and any other user is denied access, or is restricted.

There is no way (per my understanding) to have a IF role === 'xyz'; THEN deny access; ELSE; grant access; FI;, and any user who does not have a role will always fail any role-based check.

netlify.toml is simply an alternative. You could use both _redirects and netlify.toml, but keep in mind the rule processing order.

If you had a free, and paid membership, you might have something like

# Only allow access to paid content to paid users
/content/paid/*   200!  Role=paid
/content/paid/*  /pricing   401!

# Only allow access to free content to signed-in users
/content/free/*   200!  Role=paid,free
/content/free/*   /sign-up 401!

# Allow access to other content to everyone
/content/*    /content/:splat   200!

Again, this is both an access and restriction method. The above rules are what I implemented on a test site

Is this the sort of thing you are trying to accomplish?

Thank you so much. Yes, I have something similar. I’m trying to disallow access to some content for a group that has paid access to everywhere else. Only paid users should get redirected from the page. Everyone else (including not logged in) should see it.

The unpaid customers (and those not logged in) should have access to that same page, while paid users would be redirected).
it would work if != was an option (but it’s not).

For example the last line of this example does not work, but it’s what I’m trying to accomplish (in theory)
/content/* 200! Role=paid # this is possible/works
/content/ /404.html 404 # this is possible/works

/signup/* /signin 401! Role!=paid #this is not possible/cannot work

I don’t think there’s a way to do it with the roles. As you say above, " any user who does not have a role will always fail any role-based check." That’s the issue. I need people without a role to have access to that signup page.

I appreciate your help! Apologies for the odd problem. I’ll have to figure out a different way to accomplish this.

1 Like