Support restricted fields on AccessGuard

[belgamo]

related to https://github.com/getjerry/nest-casl/issues/254

Motivation

Currently, there's no effortless way to support restricted fields by using the AccessGuard which requires us to manually call either hasAbility or assertAbility from AccessService.

Strategy

Get all properties from the body object sent by the client and transform them into dot notation paths, that is the way CASL compares the desired ability against the predefined rules. It's fully compatible with CASL patterns.

Goal

Deny the request if the user has sent a field in which they don't have permission to perform an action.

[belgamo]

@liquidautumn I'd love to get your input here. Please, review when you get a chance.

[liquidautumn]

@liquidautumn I'd love to get your input here. Please, review when you get a chance.

Thank you for contribution, it looks good overall. Commented on dependency issue, let me know what you think. Also docs update needed but not critical, might be done separately.

[belgamo]

@liquidautumn I'd love to get your input here. Please, review when you get a chance.

Thank you for contribution, it looks good overall. Commented on dependency issue, let me know what you think. Also docs update needed but not critical, might be done separately.

I'm wondering if we really need to document this... Since it's built on top of CASL, I'd expect the restricting fields feature to just work when I call can/cannot methods while defining permissions. That's my perspective as a consumer of this library. If you really think it's nice to have, we can evidence it with a short example.

[github-actions[bot]]

:tada: This PR is included in version 1.9.0 :tada:

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot :package::rocket: