Can when fields are not specified #873

Arcus16 · 2024-02-05T19:57:36Z

Arcus16
Feb 5, 2024

Hi, I have this rule for updating an Account

    can(Action.Update, Account, ['name'], {
        id: {
            $in: accountIds,
        },
    });

And it works as it should, for example

ability.can(Action.Update, account, 'name') // returns true 
ability.can(Action.Update, account, 'region') // returns false

What bothers me is when somebody does this:

ability.can(Action.Update, account) //  returns true

so I added this rule

    cannot(Action.Update, Account).because('Field must be specified');

and I thought that now the ability.can(Action.Update, account) would return false and ability.can(Action.Update, account, 'name') would still return true. But it doesn't work that way, so I want to ask is there some other approach to achieve this?

Answered by stalniy

Feb 6, 2024

What you want is flag/claim based permission checks. Let’s map what you did in casl to real world

If you have access to a room inside some building, do you then have access to the building itself? Yes because room is part of building and there is no way to enter room without accessing building.

This is how casl was designed and how it works.

Name is an attribute of Account, this is part of an Account, if you can update part of an Account it means you can update Account. Because when you update part of a whole, you update this whole. I believe it’s logical

If this is not desired, you have 2 options:

use another library
Don’t use attribute level checks

View full answer

stalniy · 2024-02-06T04:33:21Z

stalniy
Feb 6, 2024
Maintainer

What you want is flag/claim based permission checks. Let’s map what you did in casl to real world

If you have access to a room inside some building, do you then have access to the building itself? Yes because room is part of building and there is no way to enter room without accessing building.

This is how casl was designed and how it works.

Name is an attribute of Account, this is part of an Account, if you can update part of an Account it means you can update Account. Because when you update part of a whole, you update this whole. I believe it’s logical

If this is not desired, you have 2 options:

use another library
Don’t use attribute level checks

1 reply

Arcus16 Feb 6, 2024
Author

Thanks for the explanation! I thought this behavior was impossible, but I wanted to ask because I may have missed something in the documentation or misunderstood something. I am just adding a new feature to my application, and I need more granular rules, so far users can update anything on Account if accountId matched, now I need to allow only specific fields.
So, I have ability.can(Action.Update, account) on many places in my codebase, and I was wondering if it could work as I described I could prevent bugs caused by not specifying fields when checking user permissions.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Can when fields are not specified #873

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Can when fields are not specified #873

Arcus16 Feb 5, 2024

Replies: 1 comment · 1 reply

stalniy Feb 6, 2024 Maintainer

Arcus16 Feb 6, 2024 Author

Arcus16
Feb 5, 2024

Replies: 1 comment 1 reply

stalniy
Feb 6, 2024
Maintainer

Arcus16 Feb 6, 2024
Author