u/Confident_Aside7128

▲ 16 r/nestjs

Avoiding circular dependencies with a third module. Where should the API route live?

I'm a junior developer, and I have a question about handling circular dependencies.

Let's say I have Module A and Module B. Initially, A imports B, but then I need to add an endpoint where B also imports A. To avoid using forwardRef() and creating a circular dependency, I thought about introducing Module C, which imports both A and B and coordinates the interaction.

Here's an example:

  • ProductModule imports OrderModule because it needs to check whether a product has any pending orders before allowing it to be deleted.
  • Later, I want to implement POST /orders, which also needs to validate products before creating an order. That would require OrderModule to import ProductModule, creating a circular dependency.

To avoid this, I created a CheckoutModule (or CheckoutService) that imports both ProductModule and OrderModule and orchestrates the logic. This removes the circular dependency.

My confusion is about the API route. Since the orchestration now lives in the CheckoutModule, should the endpoint be:

  • POST /checkout, because that's where the orchestration happens?
  • Or POST /orders, with the checkout(or any) controller living inside CheckoutModule even though the route is /orders?

More generally, when you introduce an orchestration module to break circular dependencies, should your API routes follow the orchestration module, or should they still be organized around the resource being created (/orders in this case)?

I'm interested in what the common or recommended practice is.

reddit.com
u/Confident_Aside7128 — 8 days ago

How do you implement dynamic RBAC and data-level access control in a SaaS application?

Hey everyone,

I'm a junior backend developer working on a real-world SaaS school management system. The frontend is being handled by another developer, and I'm responsible for the backend.

Tech stack:

  • NestJS
  • Prisma
  • PostgreSQL
  • Redis
  • BullMQ

I'm trying to design a flexible authorization system and would appreciate some guidance from people who have built similar systems.

I understand how to create and manage roles and permissions, but I'm struggling with data-level access control and dynamic roles.

For example, a school may have roles such as:

  • Teacher
  • Student
  • Guardian/Parent
  • Staff
  • Principal
  • Coordinator
  • Department Head
  • Custom roles created by the school

The challenge is that access isn't determined only by a user's role.

Examples:

  • A teacher should only be able to view students they teach.
  • Staff members may only be able to view students within certain departments.
  • Department heads may have broader access across their department.
  • Principals may have access to all student records.
  • Schools may also create custom roles with custom permissions.
  • Permission overrides may exist for specific users.

This makes simple role-based checks feel insufficient.

From my research, it seems like RBAC alone isn't enough, and there may be concepts such as resource-based permissions, attribute-based access control (ABAC), policy-based authorization, scopes, or permission inheritance involved.

For those who have built systems like this:

  1. How did you model authorization?
  2. What concepts or patterns should I study?
  3. Are there any books, articles, open-source projects, or other resources you would recommend?
  4. How do you handle permission overrides and custom roles without making the system unmanageable?

I've already asked ChatGPT, Claude, and other AI tools, but I'd also like to hear from people who have solved this in production.

I know this is a huge topic and not something that can be fully explained in a single Reddit reply. Even pointers on what to research next would be very helpful.

Thanks!

reddit.com
u/Confident_Aside7128 — 24 days ago
▲ 13 r/nestjs+1 crossposts

How do you implement dynamic RBAC and data-level access control in a SaaS application?

Hey everyone,

I'm a junior backend developer working on a real-world SaaS school management system. The frontend is being handled by another developer, and I'm responsible for the backend.

Tech stack:

  • NestJS
  • Prisma
  • PostgreSQL
  • Redis
  • BullMQ

I'm trying to design a flexible authorization system and would appreciate some guidance from people who have built similar systems.

I understand how to create and manage roles and permissions, but I'm struggling with data-level access control and dynamic roles.

For example, a school may have roles such as:

  • Teacher
  • Student
  • Guardian/Parent
  • Staff
  • Principal
  • Coordinator
  • Department Head
  • Custom roles created by the school

The challenge is that access isn't determined only by a user's role.

Examples:

  • A teacher should only be able to view students they teach.
  • Staff members may only be able to view students within certain departments.
  • Department heads may have broader access across their department.
  • Principals may have access to all student records.
  • Schools may also create custom roles with custom permissions.
  • Permission overrides may exist for specific users.

This makes simple role-based checks feel insufficient.

From my research, it seems like RBAC alone isn't enough, and there may be concepts such as resource-based permissions, attribute-based access control (ABAC), policy-based authorization, scopes, or permission inheritance involved.

For those who have built systems like this:

  1. How did you model authorization?
  2. What concepts or patterns should I study?
  3. Are there any books, articles, open-source projects, or other resources you would recommend?
  4. How do you handle permission overrides and custom roles without making the system unmanageable?

I've already asked ChatGPT, Claude, and other AI tools, but I'd also like to hear from people who have solved this in production.

I know this is a huge topic and not something that can be fully explained in a single Reddit reply. Even pointers on what to research next would be very helpful.

Thanks!

reddit.com
u/Confident_Aside7128 — 24 days ago