node package manager
It’s your turn. Help us improve JavaScript. Take the 2017 JavaScript Ecosystem Survey »



Manacle is a lightweight ACL implementation for Node.js and the browser.


Create a new ACL:

var acl = manacle.create();

Define some rules:

var user = { ... };
acl.allow('read', 'post');
if (user) {
    acl.allow('create', 'post');
    acl.allow(['update', 'delete'], 'post', function(post) {
        return post.user === user;
    if (user.admin) {
        acl.allow('*', 'post');
    if (user.blocked) {
        acl.deny(['create', 'update', 'delete'], 'post');

Check various rules:

var post = { ... };
// `true` for users who are not blocked 
acl.allowed('create', 'post');
// `true` for all users (the given post object is ignored 
// and unnecessary since there is no condition defined) 
acl.allowed('read', 'post', post);
// `true` for users who are not blocked and either own 
// the post or are an admin 
acl.allowed('update', 'post', post);
acl.allowed('delete', 'post', post);
// `true` (undefined rules are denied by default) 
acl.denied('foo', 'bar');

Note that the order in which the rules are defined matters as each newly defined rule takes precedence over past rules.


Releases are available on GitHub or via NPM.

npm install manacle

Development: manacle.js

Production: manacle.min.js


allow(actions, subjects, condition)

deny(actions, subjects, condition)

Allow (or deny) the specified action(s) and subject(s), optionally only if the given condition holds.


  • actions - string or array of strings
  • subjects - string or array of strings
  • condition - function (optional)

allowed(action, subject, ...)

denied(action, subject, ...)

Check if the specified action(s) and subject(s) are allowed (or denied), optionally checking a condition against any extra arguments.


  • action - string
  • subject - string
  • additional arguments passed to condition function