CASL
CASL (pronounced /ˈkæsəl/, like castle) is an isomorphic authorization JavaScript library which restricts what resources a given user is allowed to access. All permissions are defined in a single location (the Ability
class) and not duplicated across controllers, views, and database queries.
Heavily inspired by cancan.
Installation
npm install casl --save
Features
- supports MongoDB like conditions (
$eq
,$ne
,$in
,$all
,$gt
,$lt
,$gte
,$lte
,$exists
,$regex
, field dot notation) - can construct MongoDB query based on defined abilities
- supports direct and inverted rules
- provides mongoose plugin
- can be easily integrated with any data storage
- provides ES6 build, so you are able to shake out unused functionality
Getting started
CASL allows you to use any data layer (e.g., mongoose, raw mongodb adapter, sequelize), any HTTP framework (e.g., koa, express, feathersjs) and even any frontend framework (e.g., Vuejs, Angular, React, Ionic) because of its isomorphic nature. Also, it doesn't force you to choose a database (however currently is the best integrated with MongoDB).
Check sidebar in documentation for integration examples.
CASL concentrates all attention at what a user can actually do and allows to create abilities in DSL style. Lets see how
1. Define Abilities
Lets define Ability
for a blog website where visitors:
- can read everything.
- can manage (i.e., create, update, delete, read) posts which were created by them
- cannot delete post if it has at least 1 comment
const ability = AbilityBuilder
Yes, you can use some operators from MongoDB query language to define conditions for your abilities. See Defining Abilities for details.
2. Check Abilities
Later on you can check abilities using can
and cannot
.
// true if ability allows to read at least one Postability // true if ability does not allow to read a postconst post = title: 'What is CASL?' ability
Also there is a conveninse method throwUnlessCan
which throws ForbiddenError
exception in case if action is not allowed on target object:
try ability catch error console // true console // true
See Check Abilities for details.
3. MongoDB integration
CASL provides easy integration with MongoDB database.
const toMongoQuery AbilityBuilder = const MongoClient = const ability = AbilityBuilder MongoClient
And if you use mongoose, you are lucky because CASL provides mongoose middleware which hides all boilerplate under convenient accessibleBy
method.
const mongoosePlugin AbilityBuilder = const mongoose = mongoose const ability = AbilityBuilder const Post = mongoose // by default it asks for `read` rules// returns mongoose Query, so you can chain it with other conditionsPost // also you can call it on existing query to enforce visibility.// In this case it returns empty array because rules does not allow to read Posts of `someoneelse` authorPost
See Database integration for details.
4. UI integration
CASL is written in pure ES6 and has no dependencies on Node.js or other environments. That means you can use it on UI side. It may be useful if you need to show/hide some UI functionality based on what user can do in application.
{ thisability = } { return } { return }
Read CASL in Aurelia app or Vue ACL with CASL for details.
Documentation
A lot of useful information about CASL can be found in documentation (check sidebar on the right hand ;)!
Want to help?
Want to file a bug, contribute some code, or improve documentation? Excellent! Read up on guidelines for contributing