Even user can also access the APEX page need to restrict

Question

I have created a application which as 4 pages

• Home
• Admin page
• Calculate BMI
• About

Then I went into -> shared components -> Select Authorization schema -> Create

I have set a name to it as only_admin -> PLSQL boolen expression return (option)

Below is my code

DECLARE
  myrole VARCHAR2(10 CHAR);
BEGIN
  SELECT role_assigned
  INTO   myrole
  FROM   employee
  WHERE  id = :APP_USER;
  
  IF :myrole = 'ADMIN' THEN
    RETURN TRUE;
  ELSE
    RETURN false;
  END;

After saving my above code … I went into Admin page -> under security -> selected -> only_admin

Now what is happening is … even the user is also able to see the page. That should not happen

**Below is my table : Employee **

NAME,AGE,ID,ROLE_ASSIGNED
Raj,22,12,ADMIN 
Deep,24,14,USER
Bob,26,16,USER

I want to restrict the Name : Deep and Bob from accessing the Admin page as they are USER -> ROLE_ASSIGNED

Answer 1

Just for completeness here is another option that is both simpler and less error prone. As authorization scheme code, instead of using a "pl/sql function returning boolean", go for the "sql exists" option with the following sql:

SELECT  1 
  FROM  employee
 WHERE  id = :APP_USER 
   AND  myrole = 'ADMIN' 

Advantages:

• If user has no row in table employee, it will not raise an exception.
• If the security model allows for an employee to have multiple rows, no change to the source is needed.

Answer 2

It is not

IF :myrole = 'ADMIN' THEN

but

IF myrole = 'ADMIN' THEN

i.e. no semi-colon in front of myrole. It isn't a page item or anything like that; it's just a local variable.