How to use @casl/ability - 10 common examples
To help you get started, we’ve selected a few @casl/ability examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
voluntarily / vly2 / server / middleware / getAbility / getAbility.js View on Github 
// console.log('getAbility req.session', req.session)
const rootPath = require('path').join(__dirname, '/../../..')
const pattern = rootPath + options.searchPattern
// console.log('getAbility pattern', pattern)
const userRoles = req.session && req.session.me ? req.session.me.role : [Role.ANON]
// console.log('getAbility userRoles', userRoles)
let allRules = []
glob.sync(pattern).forEach(abilityPath => {
// console.log('getAbility abilityPath', abilityPath)
userRoles.forEach(role => {
const rules = require(abilityPath)[role]
// console.log('getAbility rules', rules)
allRules = allRules.concat(rules)
})
})
req.ability = new Ability(allRules)
// console.log('getAbility req.ability', req.ability)
next()
}import { Ability } from '@casl/ability'
export const abilityInstance = new Ability()
export const abilityPlugin = (store) => {
abilityInstance.update(store.state.rules)
return store.subscribe((mutation) => {
switch (mutation.type) {
case 'auth/setUser':
// store.$router.app.$storyboard.mainStory.info('casl:store:plugin', 'user logged in, setting access rules')
store.app.api.storyboard.mainStory.trace('casl:vuex', '@store/plugins/casl update permissions')
abilityInstance.update(mutation.payload.rules)
break
case 'auth/logout':
console.log('@store/plugins/casl user logged out, REsetting access rules')
abilityInstance.update([{ actions: 'read', subject: 'all' }])
breaktest.serial('Request accepted if authorized', async t => {
const request = new MockExpressRequest({
method: 'GET',
route: {
path: Routes[Action.LIST]
}
})
const abilityForAuthorizedRequest = AbilityBuilder.define(can => {
can(Action.READ, SchemaName)
can(Action.LIST, SchemaName)
})
request.ability = abilityForAuthorizedRequest
const response = new MockExpressResponse({ request })
const next = sinon.fake()
authorizeActions(SchemaName)(request, response, next)
t.is(next.callCount, 1)
})test.serial('Request rejected if unauthorized', async t => {
const request = new MockExpressRequest({
method: 'DELETE',
route: {
path: Routes[Action.DELETE]
}
})
const abilityForUnauthorizedRequest = AbilityBuilder.define((can, cannot) => {
can(Action.READ, SchemaName)
cannot(Action.DELETE, SchemaName)
})
request.ability = abilityForUnauthorizedRequest
const response = new MockExpressResponse({ request })
const next = sinon.fake()
authorizeActions(SchemaName)(request, response, next)
t.is(response.statusCode, 403)
t.is(next.callCount, 0)
})test.serial('Should call send status function for null record ', async t => {
const userIDWantToUpdate = 'asdfasdfgadf'
const fakeSendStatus = sinon.fake()
const rawRules = [
{ action: 'update', subject: 'Person', conditions: { _id: userIDWantToUpdate } }
]
const ability = new Ability(rawRules)
const request = new MockExpressRequest()
request.body = {
_id: '5d48f775741eab0d344d4c29'
}
request.ability = ability
const response = new MockResponse()
response.sendStatus = (status) => { fakeSendStatus() }
await updatePersonDetail(request, response)
t.is(1, fakeSendStatus.callCount)
})describe('`Can` component', () => {
const LocalVue = createLocalVue()
const ability = AbilityBuilder.define(can => {
can('read', 'Plugin')
can('update', 'Plugin', 'version')
})
beforeAll(() => {
LocalVue.use(abilitiesPlugin, ability)
LocalVue.component('Can', Can)
})
it('renders all children if `Ability` instance allows to do an action', () => {
const wrapper = render(`
<h1></h1>
<h2></h2>
`)it('returns fields for `read` action by default', () => {
const ability = AbilityBuilder.define(can => can('read', 'Post', ['title', 'state']))
expect(Post.accessibleFieldsBy(ability)).to.deep.equal(['title', 'state'])
})it('allows to override ability by passing "ability" property', () => {
const anotherAbility = AbilityBuilder.define(can => can('update', 'Post'))
const component = renderer.create(e(BoundCan, { I: 'read', a: 'Post', ability: anotherAbility }, child))
expect(component.toJSON()).to.be.null
})
})it('is defined by `$ne` criteria', () => {
const ability = AbilityBuilder.define(can => {
can('read', 'Post', { creator: { $ne: 'me' } })
})
const query = toMongoQuery(ability, 'Post')
expect(query).to.deep.equal({ $or: [{ creator: { $ne: 'me' } }] })
})beforeEach(() => {
ability = AbilityBuilder.define((can) => {
can('read', 'Post', { state: 'draft' })
can('update', 'Post', { state: 'published' })
})
spy.on(ability, 'rulesFor')
})@casl/ability
CASL is an isomorphic authorization JavaScript library which restricts what resources a given user is allowed to access
