> Portal Navigation: > > - Append `.md` to any URL under `https://dev.wix.com/docs/` to get its markdown version. > - Pages are either content pages (article or reference text) or menu pages (a list of links to child pages). > - To get a menu page, truncate any URL to a parent path and append `.md` (e.g. `https://dev.wix.com/docs/sdk.md`, `https://dev.wix.com/docs/sdk/core-modules.md`). > - Top-level index of all portals: https://dev.wix.com/docs/llms.txt > - Full concatenated docs: https://dev.wix.com/docs/llms-full.txt ## Resource: About Elevation ## Article: About Elevation ## Article Link: https://dev.wix.com/docs/develop-websites-sdk/code-your-site/authorization/about-elevation.md ## Article Content: # About Elevation > **Note:** This article discusses elevation when developing websites, but the concepts and implementation are the same when [coding in Blocks](https://dev.wix.com/docs/build-apps/develop-your-app/frameworks/wix-blocks/code-in-blocks/about-coding-in-blocks.md). Some Wix methods are restricted based on the [identities](https://dev.wix.com/docs/develop-websites-sdk/code-your-site/authorization/about-identities.md) and [roles](https://support.wix.com/en/article/roles-permissions-overview) authorized to call them. Elevation is a mechanism that allows you to call these restricted methods even when the calling identity lacks the necessary authorization. This process creates a temporary elevated version of a method by calling the `elevate()` method, enabling you to bypass the usual authentication checks that might otherwise restrict access. For example: ```javascript import { auth } from "@wix/essentials"; import { someModule } from "@wix/some-module"; //... const elevatedMethod = auth.elevate(someModule.methodName); elevatedMethod(param1, param2); ``` ## Methods that may require elevation Methods can be restricted based on user [identity](https://dev.wix.com/docs/develop-websites/articles/coding-with-velo/authorization/identities.md) or [roles and permissions](https://support.wix.com/en/article/roles-permissions-overview). ### Identity restriction example An example of a method restricted by identity is the [`assignBadge()`](https://dev.wix.com/docs/sdk/backend-modules/members/badges/assign-badge.md) method. This method can only be called by [Wix users](https://dev.wix.com/docs/develop-websites-sdk/code-your-site/authorization/about-identities.md#wix-user) because site members shouldn't be able to assign badges to themselves. This means that `assignBadge()` can only be called without elevation in a published dashboard page, where the caller will have the Wix user identity. In all other cases, if you need to call `assignBadge()`, you must elevate it first. For example, you might want to automatically assign a badge to users who take some specific action or reach a predetermined milestone. Since the site members who earned the badge don't have rights to assign it to themselves. In this case, you need to use elevation to assign the badge. ### Roles and permissions restriction example An example of a method restricted based on roles and permissions is the [`confirmBooking()`](https://dev.wix.com/docs/sdk/backend-modules/bookings/bookings/confirm-booking.md) method. This method can only be called by admin members with an administrative bookings role because users creating bookings shouldn't be allowed to confirm their own bookings. If you need to call `confirmBooking()` on behalf of a user who does not have an administrative Bookings role, you must elevate it first. For example, you might have a specific service that you want to confirm automatically once a site visitor books it. Since site visitors who book the service don't have permissions to confirm it themselves, you need to use elevation to confirm the booking. ## Security considerations Due to potential security risks, you can only elevate methods in backend code. While elevation offers flexibility, it's crucial to consider how and when elevation is triggered. [Web methods](https://dev.wix.com/docs/develop-websites-sdk/code-your-site/build-a-custom-backend/web-modules/about-web-modules.md) and [HTTP functions](https://dev.wix.com/docs/develop-websites-sdk/code-your-site/build-a-custom-backend/expose-services/about-custom-site-apis.md) are particularly vulnerable if not properly managed due to their open nature. Elevation in [backend events](https://dev.wix.com/docs/develop-websites-sdk/code-your-site/build-a-custom-backend/backend-events/about-backend-events.md) or code only triggered from [scheduled jobs](https://dev.wix.com/docs/develop-websites-sdk/code-your-site/build-a-custom-backend/scheduled-jobs/about-scheduled-jobs.md) presents less risk but should still be handled cautiously. ### Example To demonstrate how to properly handle elevation, consider a site that rewards frequent visitors with a special badge. To do so, the code needs to track recent member visits and call `assignBadge()` using elevation when a member has visited frequently enough. (Note that the code samples below have been simplified, removing error handling and other non-essential code.) Here is an example of an insecure approach to writing this code: ```javascript // Backend code in badges.web.js import { auth } from "@wix/essentials"; import { webMethod, Permissions } from "@wix/web-methods"; import { badges } from "@wix/members"; export const assignBadge = webMethod( Permissions.Anyone, (badgeId, memberId) => { const elevatedAssignBadge = auth.elevate(badges.assignBadge); return elevatedAssignBadge(badgeId, [memberId]); } ); export const isFrequentVisitor = webMethod(Permissions.Anyone, (memberId) => { // Query collection that tracks member visits, // determine if the specified member is a frequent visitor, // and return the result }); // Frontend code in masterPage.js import { assignBadge, isFrequentVisitor } from "backend/badges.web"; import { members } from "@wix/members"; const frequentVisitorBadgeId = "c705b8dd-aae2-4eea-a4d1-16f52421ec0a"; //... const currentMember = await members.getCurrentMember(); if (isFrequentVisitor(currentMember._id)) { assignBadge(frequentVisitorBadgeId, currentMember._id); } ``` There are several problems with the `assignBadge()` web method used in this approach: - It is open for anyone to call, even though only members can receive badges. - It doesn’t ensure that it will only assign the intended badge. - It doesn’t ensure that it will assign a badge to the currently logged in member. Because of these issues, this method can be called by a malicious user to assign any badge to any member. You can easily remedy these issues by being more careful about where you use elevation and how you expose it to be called. For example: ```javascript // In badges.web.js import { auth } from "@wix/essentials"; import { Permissions, webMethod } from "wix-web-module"; import { badges } from "@wix/members"; import { members } from '@wix/members'; const assignFrequentVisitorBadge = webMethod( Permissions.Member, async () => { const currentMember = await members.getCurrentMember(); if (isFrequentVisitor(currentMember._id)) { const frequentVisitorBadgeId = 'c705b8dd-aae2-4eea-a4d1-16f52421ec0a'; const elevatedAssignBadge = auth.elevate(badges.assignBadge); return elevatedAssignBadge(frequentVisitorBadgeId, [currentMember._id]); } } ) const isFrequentVisitor = (memberId) => { // Query collection that tracks member visits, // determine if the specified member is a frequent visitor, // and return the result } // masterPage.js import { assignFrequentVisitorBadge } from 'backend/badges.web'; //... assignFrequentVisitorBadge(); ``` In this approach, the following makes sure the elevation isn't exploited by malicious users: - The ID of the badge to assign is specified in backend code. - The current user ID is retrieved in backend code. - The web method used to trigger the badge assignment has permissions set so it can only be called by site members. ## See also - [About Identities](https://dev.wix.com/docs/develop-websites-sdk/code-your-site/authorization/about-identities.md) - [Roles & Permissions](https://support.wix.com/en/article/roles-permissions-overview) - [elevate()](https://dev.wix.com/docs/sdk/core-modules/essentials/auth.md#elevate)