A short walkthrough of how I structured permissions for customers, admins, and store managers in Grocery Store — what worked, what I'd change, and the one bug that taught me to never trust the client. When I started building Grocery Store, I had three user types in mind: Customers — browse the catalog, add to cart, check out. Store managers — add or edit products, manage inventory. Admins — everything a store manager can do, plus user management. That sounds like a clean three-role hierarchy on paper. In practice, getting it right takes more than dropping a role field on the user model. Here's how I structured it, and the rough edges I ran into along the way. The user shape The User model carries a single role field with one of three values: // models/User.js const userSchema = new mongoose .…