-
|
Hi everyone, I'm exploring CASL as part of a migration from Oso and encountered a challenge regarding relational (or hierarchical) policies. Specifically, I'm looking for a way to express policies where permissions on one subject imply permissions on a related subject. For example, consider this use case:
In Oso, this can be defined like this: However, IIUC, CASL does not natively support relational policies like the following pseudo-code: allow('create', 'Organization', { conditions: { ownerId: user.id } });
allow('create', 'Issue', { conditions: can('create', 'Organization', { ownerId: user.id }) });Questions
I'd love to hear your thoughts on how best to approach this with CASL or whether this is something that could be added as a feature. Thank you for your input! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 8 replies
-
|
Very often all tenant based application have tenant id over all tenant specific entities. For example, in your case very likely that Issue has relation to organization and basically has If so, then your permissions are translated to this: pseudocode above to show the idea of how it should be done in casl (user.ownedOrgIds is an array of all owned organizations ids by authenticated user) |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for the detailed response! I understand the approach of using attributes like For example, consider the following scenario:
The idea is that the relationship between allow('admin', 'Organization', { id: orgId });
allow('create', 'Repository', { parent: can('admin', 'Organization') });
allow('create', 'Issue', { parent: can('create', 'Repository') });This would allow permissions to flow naturally through the hierarchy without requiring user-specific attributes like If we were to rely solely on attributes (e.g.,
In systems like Oso, this can be expressed via relationship-based access control (ReBAC) where permissions cascade based on relationships between entities. So I have a feeling this is not possible in CASL? I appreciate the suggestion to use Thanks again for your insights and help! |
Beta Was this translation helpful? Give feedback.
-
|
There is no such thing in casl but you can get it with some restrictions (e.g., you won't be able to translate casl permissions into database query with built-in helpers). To do this, you can switch to lambda based permission definition or define custom So, the entities: class Organization {
constructor(ownerId) {
this.ownerId = ownerId;
}
}
class Issue {
constructor(org) {
this.org = org
}
}Lambda version: const lambdaMatcher = (matchConditions) => matchConditions;
export default function defineAbilityFor(user) {
const { can, build } = new AbilityBuilder(PureAbility);
can('create', Organization, (org) => org.ownerId === user.id);
can('create', Issue, (issue) => ability.can('create', issue.org));
const ability = build({ conditionsMatcher: lambdaMatcher });
return ability
}The same with import {
createMongoAbility,
AbilityBuilder,
} from '@casl/ability';
import { $in, within, $eq, eq, createFactory, $where, where } from '@ucast/mongo2js';
const conditionsMatcher = createFactory({
$in, $eq, $where,
}, {
in: within, eq, where
});
function defineAbilityFor(user) {
const { can, build } = new AbilityBuilder(createMongoAbility);
can('create', Organization, { ownerId: user.id });
can('create', Issue, {
$where() {
return ability.can('create', this.org); // `this` points to issue which we test permissions on
}
});
const ability = build({ conditionsMatcher });
return ability;
}and the code to evaluate this thing: const ability = defineAbilityFor({ id: 1 })
const ownOrg = new Organization(1);
const ownIssue = new Issue(ownOrg);
const anotherOrg = new Organization(2);
const anotherIssue = new Issue(anotherOrg);
console.log({
canCreateOwnIssue: ability.can('create', ownIssue),
canCreateAnotherIssue: ability.can('create', anotherIssue),
});Full working example: Exampleimport {
createMongoAbility,
AbilityBuilder,
PureAbility,
} from '@casl/ability';
import { $in, within, $eq, eq, createFactory, $where, where } from '@ucast/mongo2js';
const conditionsMatcher = createFactory({
$in, $eq, $where,
}, {
in: within, eq, where
});
// function defineAbilityFor(user) {
// const { can, build } = new AbilityBuilder(createMongoAbility);
// can('create', Organization, { ownerId: user.id });
// can('create', Issue, {
// $where() {
// return ability.can('create', this.org);
// }
// });
// const ability = build({ conditionsMatcher });
// return ability;
// }
const lambdaMatcher = (matchConditions) => matchConditions;
function defineAbilityFor(user) {
const { can, build } = new AbilityBuilder(PureAbility);
can('create', Organization, (org) => org.ownerId === user.id);
can('create', Issue, (issue) => ability.can('create', issue.org));
const ability = build({ conditionsMatcher: lambdaMatcher });
return ability
}
class Organization {
constructor(ownerId) {
this.ownerId = ownerId;
}
}
class Issue {
constructor(org) {
this.org = org
}
}
const ability = defineAbilityFor({ id: 1 })
const ownOrg = new Organization(1);
const ownIssue = new Issue(ownOrg);
const anotherOrg = new Organization(2);
const anotherIssue = new Issue(anotherOrg);
console.log({
canCreateOwnIssue: ability.can('create', ownIssue),
canCreateAnotherIssue: ability.can('create', anotherIssue),
}); |
Beta Was this translation helpful? Give feedback.
-
|
Then you get same thing as in OSO but you loose some flexibility. Still, I'd recommend to use tenant id because when your app will grow, you will want to shard/partition data. And in that case you will be just forced to add organizationId to every nested entity to ensure that they live on the same shard. The additional benefit you will get is a possibility to fetch accessible records from db, basically translate permissions to db query and check them on db level |
Beta Was this translation helpful? Give feedback.
-
|
This code looks fantastic! Thank you so much for taking the time to share such a detailed solution. It really aligns with what I’ve been trying to achieve, and I’ll definitely give it a try. That said, as you pointed out, the restriction of not being able to translate CASL permissions into database queries using built-in helpers seems like a significant drawback for scalability. Here’s why it might be a concern for my use case. Currently, I define my policies like this: export function defineOrganizationAbilityFor({ user }: Input): Array<RawRuleOf<AppAbility>> {
const rules: Array<RawRuleOf<AppAbility>> = [];
rules.push( /* Whatever permission I want to add based on roles, etc. */ );
return rules;
}And then I build it all together like this: export const defineAbilityFor = (user) => {
const rules: Array<RawRuleOf<AppAbility>> = [];
if (user.roles.includes("admin")) {
rules.push({ subject: "all", action: "manage" });
}
const orgRules = defineOrganizationAbilityFor({ user });
const repoRules = defineRepositoryAbilityFor({ user });
const issueRules = defineIssueAbilityFor({ user });
return createMongoAbility<AppAbility>([...rules, ...orgRules, ...repoRules, ...issueRules], {
detectSubjectType: (item) => item.kind,
});
};If I understand correctly, using your proposed lambda-based approach (or the That’s a trade-off I was hoping to avoid, as the ability to query accessible records directly from the database is critical for larger applications. While I understand your point about adding tenant IDs for better partitioning and scaling, my goal was to keep the focus on subject relationships for now. Remaining Questions
Thanks again for this incredible explanation and the examples. They’ve been super helpful in understanding how to approach this! |
Beta Was this translation helpful? Give feedback.
-
|
You can still use Both approaches doesn't work with database query because on database level Casl takes this simple, it won't try to solve complex querying requirements because it's just additional complexity. This is the reason I recommended to use tenant id (ie, orgId) based conditions instead of relying on hierarchy. I do not have plans to somehow integrate it to casl because there is an alternative via tenantId which is simpler in implementation and faster in execution. Though, it could be solved with aggregation pipeline joins, I've just checked that Also if you use Prisma, it can do "query magic" and for Prisma.js there is a separate package that allows to define permissions based on relations in Prisma, and then Prisma execs the query by itself in spite of its complexity. |
Beta Was this translation helpful? Give feedback.
-
|
But even in case of aggregation pipeline, Mongo will need to join multiple collections together and then do filtering which for sure will be slower than tenantId approach. There is no built-in way to replace part of permission conditions with something database will understand. But you can do it by using function customConvert(rule) {
const conditions = rule.conditions.$where ? convertWhereToSmthDbUnderstands(rule.conditions) : rule.conditions;
return rule.inverted ? { $nor: [conditions] } : conditions;
}
const query = rulesToQuery(ability, 'read', 'Issue', customConvert);
const result = query === null ? EMPTY_RESULT_QUERY : query as Record<string, unknown>; |
Beta Was this translation helpful? Give feedback.
There is no such thing in casl but you can get it with some restrictions (e.g., you won't be able to translate casl permissions into database query with built-in helpers). To do this, you can switch to lambda based permission definition or define custom
$whereoperator.So, the entities:
Lambda version: