-
I'm just getting started with the CASL library, so sorry if this question is a misunderstanding of the API. Here is a simple demo of the issue I'm facing. import { defineAbility } from '@casl/ability';
import { permittedFieldsOf } from '@casl/ability/extra';
export class Article {
constructor(title, description, authorId, keywords) {
this.title = title;
this.description = description;
this.authorId = authorId;
this.published = false;
this.metadata = {
likes: 0,
keywords
}
}
}
const ability = defineAbility((can, cannot) => {
can('read', 'Article', ['title', 'description', 'metadata.*'], { authorId: 1 }); // direct rule
cannot('read', 'Article', { published: false }); // inverted rule
}); Now I create an new article with the user id set to 1. Since the article is not published, even though the user is the owner, the user should not be able to access the fields within the article. const article = new Article("article", "desc", 1, "keywords")
console.log(ability.can('read', article, 'articles.title')) // evaluates to false as expected
console.log(ability.can('read', article, 'articles.metadata')) // evaluates to false as expected
console.log(ability.can('read', article, 'articles.metadata.likes')) // evaluates to false as expected So far so good. Now, when I try to get the permitted fields, I unfortunately get an unexpected result. let ARTICLE_FIELDS = ['title', 'description', 'authorId', 'published', 'metadata.likes', 'metadata.keywords'];
let options = { fieldsFrom: rule => rule.fields || ARTICLE_FIELDS};
let fields = permittedFieldsOf(ability, 'read', article, options);
console.dir(fields, {depth: null}) // evaluates to [ 'metadata.*' ] instead of [] However, if I change the article fields to the following, then I get the expected result. ARTICLE_FIELDS = ['title', 'description', 'authorId', 'published', 'metadata.*'];
options = { fieldsFrom: rule => rule.fields || ARTICLE_FIELDS};
fields = permittedFieldsOf(ability, 'read', article, options);
console.dir(fields, {depth: null}) // evaluates to [] as expected So the question is am I misunderstanding how to properly use Thanks |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
Hi thanks for the issue. The actual logic under permittedFieldsOf doesn’t support wildcards in fields so you found a bug |
Beta Was this translation helpful? Give feedback.
-
Thanks for the quick response. Is this an issue that is important enough to be worked on? Can you point me in a general direction on how to implement a fix or a workaround? |
Beta Was this translation helpful? Give feedback.
Hi
thanks for the issue. The actual logic under permittedFieldsOf doesn’t support wildcards in fields
so you found a bug