by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jan 31 2019 22:44
    renovate[bot] edited #154
  • Jan 31 2019 22:17
    riyadshauk starred stalniy/casl
  • Jan 31 2019 21:49
    renovate[bot] commented #154
  • Jan 31 2019 21:49
    renovate[bot] opened #154
  • Jan 31 2019 20:16

    renovate[bot] on typescript-3.x

    chore(deps): update dependency … (compare)

  • Jan 31 2019 17:15
    iamvanja starred stalniy/casl
  • Jan 31 2019 17:13
    RedShift1 commented #153
  • Jan 31 2019 16:35
    stalniy commented #152
  • Jan 31 2019 16:33
    stalniy commented #153
  • Jan 31 2019 15:45
    RedShift1 opened #153
  • Jan 31 2019 11:11
    chrisblakely01 starred stalniy/casl
  • Jan 31 2019 04:58
    l02162010 starred stalniy/casl
  • Jan 31 2019 03:22
    l02162010 commented #150
  • Jan 30 2019 22:58
    ifatihyildirim starred stalniy/casl
  • Jan 30 2019 20:56
    scytherswings starred stalniy/casl
  • Jan 30 2019 19:38
    jmwohl starred stalniy/casl
  • Jan 30 2019 18:55
    mdaronco starred stalniy/casl
  • Jan 30 2019 10:57
    AlexGoranov edited #152
  • Jan 30 2019 10:57
    AlexGoranov edited #152
  • Jan 30 2019 10:57
    AlexGoranov edited #152
Neal Tovsen
@nealtovsen
Thanks for the tip, @stalniy. Seems like a good approach. Will give it a try.
Sergii Stotskyi
@stalniy
@FranBor you have a typo mEnageit must be mAnage
FranBor
@FranBor
I apologize! Thanks for the answer!
Julian
@judomu

Sergii Stotskyi @stalniy Apr 30 00:28
@judomu could you please try a new version of @casl/ability? I replaced spread operator with Object.assign which is supported by Edge 12+

I will do it next weekend, thank you

Nicholas Kang
@nickk2006_gitlab

*Testing Best Practices?
How is everyone testing their authorization logic? I already read the guide, but just wanted to see what everyone else is doing.

Right now my plan is just to test the boolean return value of every Actions/Subjects permutation for every state of my application (e.g., private/public chat, regular/admin user, free/premium user, etc.)

Is there any other way or am I going to have to spend the weekend grinding CASL?

Nicholas Kang
@nickk2006_gitlab
Also, appreciate the library a lot! The guide is clear and the api is developer friendly.
Sergii Stotskyi
@stalniy
@nickk2006_gitlab from what I know the community test every action/subject as this is the most safe way. There is another approach which is described in the guide, it’s easier but may break frequently in case you change rules
Nicholas Kang
@nickk2006_gitlab
Got it! I'll go with testing every action/subject. Thanks, @stalniy.
Roman Mahotskyi
@enheit

Hello guys,

Currently, I'm trying to integrate CASL to the my project. But I've stucked...

Let's imagine that there is a user. User is able to buy a car. After he bought a car we assign permission to the user that he owns his car.

action: 'manage', subject: 'Car', condition: { carId: ${id} }

From this mement I have 2 records in 2 entities in my MongoDB

User
id: 1
name: Roman
permissions: [
  { action: 'manage', subject: 'Car', condition: { carId: 1 } }
]
Car
id: 1
make: BMW

At this moment there is no question how to manage it.

Let's imagine that we want to buy a bicycle. After user bought a bicycle we add new permission to the user permissions array

User
id: 1
name: Roman
permissions: [
  { action: 'manage', subject: 'Car', condition: { carId: 1 } },
  { action: 'manage', subject: 'Bicycle', condition: { bicycleId: 1 } }
]
Car
id: 1
make: BMW
Bicycle
id: 1
make: Haro

At this moment user have permissions to the subjects: Car & Bicycle.

And finally the problem...

Let's imagine that user want to sell his bicycle to the different user. From the database perspective we have to somehow remove permissions to the bicycle of the first user and assign this permission to the another user. It doesn't matter either we move this permission or delete and create a new one.

The question is: How to know which permission should be removed from the User.permissions array if something like this happens?

The documentation says nothing about this (Am I wrong?).

P.S. If I don't remove permissions from the previous user the permission array starts to grow and can affect performance of the app.
P.S.S. I was thinking about it and came up to some kind of ids. An id assigns to each permission to be able to distinguish them. It will allow me (as a developer) easily update/delete existing permissions.

Sergii Stotskyi
@stalniy
The question is not CASL specific. It’s domain modeling. That’s why there is no info about this in docs :)
I’d use a different structure. Instead of updating user I’d add ownerId field to cars and bicycles. So then you can easily reflect ownership. And easily update it. And this also allows to easily fetch all owned cars, bicycles by ownerId field. And this would simplify the permissions structure (probably you don’t need to store them if you don’t configure permissions from admin panel)
if you add ownerId field then your use case becomes similar to blog posts and authors
Roman Mahotskyi
@enheit
Okay, does CASL support attribute revocation? Or this is not ABAC responsibility?
Sergii Stotskyi
@stalniy
There is update method. You can update permissions. How you do it or how you store it CASL doesn’t care and is up to you and business logic
Roman Mahotskyi
@enheit
I got it. Thank you
Sergii Stotskyi
@stalniy
No problem :)
Chaitanya Babar
@ChaitanyaBabar
@stalniy
Can casl and case/mongoose be used for role base authorization for dynamic urls ?
i.e. If these two urls [/blogs/:Bid] [/blogs/:Bid/comment/:commentId] where both of them have different authorization levels for different users ?
Sergii Stotskyi
@stalniy
Chaitanya Babar
@ChaitanyaBabar
Thanks @stalniy that would be helpful
Alexander Papageorgiou
@alex-ppg

Hello guys, I have been investigating the documentation but have not found how the tool behaves if overlapping conditions are met when passed to permittedFieldsOf?

For example, let us say within the abilities we have defined that the user is able to read the title of a post anyhow, the user is able to read the comments of a post if he is the author of the said post and a final ability that says the user is able to read the author of a post if he is a moderator.

If I call permittedFieldsOf and a user fulfills all three criteria will it actually return all fields or will it return the first match? Thanks!

Sergii Stotskyi
@stalniy
Hello, it returns all fields
Chaitanya Babar
@ChaitanyaBabar
@stalniy
Do we have the example of 'casl-persisted-permissions-example' which has rest endpoints to it as well ?
Something similar to 'casl-express-example' but with role based persisted-permissions
Sergii Stotskyi
@stalniy
No, this was a minimalistic example
Bertrand
@beltr0n
Hi, the Hello World example linked in the guide seems to be broken. Is this a known issue and is there a workaround?
Sergii Stotskyi
@stalniy
Hi, I’ll check but it should work. Thanks for noting
@ChaitanyaBabar do you have any questions of how to integrate that example with REST?
1 reply
Chaitanya Babar
@ChaitanyaBabar
@stalniy
Yes , actually it would have been great if we had a initial boilerplate code for REST
role based authorization.
Sergii Stotskyi
@stalniy
@beltr0n I fixed the example. I migrated it to CommonJS because codesandbox supports only Node v10 and experimental ES modules are available from node 11
FranBor
@FranBor

Hi, I didn't understand how to use Alias without using defineAbility, I'm using Json to define Rules
this is my AppAbility.ts

import { Ability, RawRuleOf, ForcedSubject } from '@casl/ability';

export const actions = ['manage', 'create', 'read', 'update', 'delete', 'send', 'write', 'move'] as const;
export const subjects = ['Mail', 'Contact', 'all'] as const;

export type Abilities = [
    typeof actions[number],
    typeof subjects[number] | ForcedSubject<Exclude<typeof subjects[number], 'all'>>
];
export type AppAbility = Ability<Abilities>;
export const createAbility = (rules: RawRuleOf<AppAbility>[]) => new Ability<Abilities>(rules);

I tried

const resolveAction = createAliasResolver({
  modify: ['update', 'delete']
});
export const createAbility = (rules: RawRuleOf<AppAbility>[]) => new Ability<Abilities>(rules, { resolveAction: _resolveAction });

but _resolveAction is not assignable to resolveAction
Please, can you help me?

Sergii Stotskyi
@stalniy
Ability accepts options object as a 2nd argument. So just pass that object with resolveAction as a 2nd param
new Ability(rules, { resolveAction })
FranBor
@FranBor

Thank you so much.
I have updated my AppAbility.ts

import { Ability, RawRuleOf, ForcedSubject, createAliasResolver } from '@casl/ability';

export const actions = ['manage', 'create', 'read', 'update', 'delete', 'send', 'write', 'move'] as const;
export const subjects = ['Contact', 'Mail', 'all'] as const;

export type Abilities = [
    typeof actions[number],
    typeof subjects[number] | ForcedSubject<Exclude<typeof subjects[number], 'all'>>
];
export type AppAbility = Ability<Abilities>;


const resolveAction = createAliasResolver({
    modify: ['create', 'update']
});
export const createAbility = (rules: RawRuleOf<AppAbility>[]) => new Ability(rules, { resolveAction });

after logging in I update the ability

this.ability.update([{"action":"modify","subject":"Contact"},{"action":"read","subject":"Contact"}]);

        console.log('modify',this.ability.can('modify', 'Contact')); //true - I expected true
        console.log('update',this.ability.can('update', 'Contact')); //false - I expected true
        console.log('create',this.ability.can('create', 'Contact')); //false - I expected true
Sergii Stotskyi
@stalniy
This is very strange
Sergii Stotskyi
@stalniy
I think you are using different Ability instances because your example perfectly works in https://codesandbox.io/s/charming-nobel-ccl4n?file=/src/index.js
@FranBor ^^^
Sergii Stotskyi
@stalniy

@FranBor updated API docs - https://stalniy.github.io/casl/v4/en/api/casl-ability#pure-ability-constructor

You can find all options listed there. Also I'd recommend to use some TypeScript aware IDE, like VSCode that can highlight possible values based on d.ts files even for JavaScript

FranBor
@FranBor
Thank you so much. I have updated my AppAbility.ts and I have created an example https://codesandbox.io/s/pedantic-tu-523gh
Now I have this error: this.ability.update is not a function
Sergii Stotskyi
@stalniy

Sorry, but this is your app related issues. Please check the Angular example and try to fix them by yourself.

I can't help everybody with every issue in every framework :)

Scott
@smolinari
Hey. Brand new to Casl and have a question. I'm looking to do two different things possibly with Casl and I'd like to know if it is possible. The first is a data access scheme, where users might have hierarchical access to data from other users. In other words, say you have a business and in it two teams with a manager of the two teams. The team members can see data from their colleagues, but not from the other team. The manager can see data from both teams. This kind of hierarchy can go many levels high. That is use case #1.
The next use case is creating what I'd call permission sets. A permission set would be any number of the given rules to do things within the application. Permission sets would be assigned to users and be additive to their "ability profiles".
Are these doable with Casl?
Sergii Stotskyi
@stalniy
Hi @smolinari create proof of concept and let us now. There is no special handling for hierarchies in casl but I’m pretty sure you can do this with ABAC. For example if you use materialized path approach you can define $regex that checks the path. Or using arrays and $in or $all
Scott
@smolinari
Thanks Sergii. Materialized paths sounds like a good route for the hierarchies ( I guess I was looking for the pattern more than if Casl can do it. Thanks for the suggestion). So, to reiterate... for the first scenario, I'll need something like materialized paths, but using simpler ABAC for the permissions (only needs read ability). And for the second scenario, the permission sets would be a set of Casl rules based on the application's "standard set" of rules and I'll need a system to merge the abilities together (additive) for each user (i.e. merge the user's role/ standard set of abilities and the assigned permission sets). Does that sound about right?
Sergii Stotskyi
@stalniy
Sounds good. You can use AbilityBuilder to define an array of rules for different sets and in the simplest form concat these arrays
the rule to stick with in such case is “give permissions. Don’t take them away”. it will be simpler to reason about current user permissions
Scott
@smolinari
Awesome. Thanks!
Federico Vela
@fedevela
Hello all, thank you in advance for reading, I need some help please. I have been using casl-react for a while but now I am having trouble upgrading to v 4. I have been getting several kinds of errors, i think related to passing the abilities incorrectly. Currently my error is "Warning: unstable_flushDiscreteUpdates: Cannot flush updates when React is already rendering." but it seems that the one that pops up most often is "Can.ts:66 Uncaught TypeError: t.on is not a function" which i think might have to do with an incorrect definition of the abilities raw json. I am unsure as to how to proceed. please help!!!
Sergii Stotskyi
@stalniy
Hello @fedevela it’s hard to help. Can you create a small repo that reproduces your error?
by the way casl/react now has useAbility hook
Federico Vela
@fedevela
Thank you very much for your reply @stalniy !!!! The CASL code is buried in layers of react so i was hoping for some illuminating magical pointer XD ... I will try the useAbility hook, I have a feeling i am doing something really stupid like sending a string when it expected an object or something like that.
I might just have to start with an app from scratch, implement casl bare bones and then move the old one on top. :/