search

fratzinger / feathers-casl

feathers.js + casl: hooks & channels
https://feathers-casl.netlify.app/
MIT License
38 stars 18 forks source link

Ability to have multiple "stages" for permissions? #93

Open joezappie opened 1 year ago

joezappie commented 1 year ago

I'm looking to use CASL for both a licensing system and a user permission system. Issue is that I need the licensing rules to override any user permissions. Even if a user is given a role that gives them permission to everything, if their license doesn't allow that it should fail.

Due to how CASL works, if my license defines that they can only "read" a subject, but their role gives them the ability to "write" for a subject, then they will be able to do things that their license doesn't allow for.

Really what I need is the ability to have "stages" of permission checks. If the license permissions fails, then it should error. If it passes, then it continues to check their user permissions. I'm curious, is this possible to use feathers-casl with multiple sets of independent rules?

I'm thinking I might be able to do this with a hook that swaps out the context.params.ability before running the authorizeHook each time: 

const customAuthorizeHook = async (context) => {
   context.params.ability = context.licenseAbility;
   await authorizeHook(context);
   context.params.ability = context.userAbility;
   await authorizeHook(context);

This however, wouldn't do anything for channels permissions.

Do you have any thoughts on supporting something like this?

I could use inverted rules for everything, but since its generally recommended to give instead of take away permissions I'd rather keep as many cannots to a minimum.