Examples of a data-driven ability file?

[chrisj-back2work]

What do you want and why?

This article describes ability files clearly: https://ntgussoni.github.io/blitz-guard/docs/ability-file

The examples are all based on a user's authorization status or explicit ownership of a resource.

Other common patterns include: (1) permissions are assigned to roles, and roles are assigned to users -- each user's permissions are the net of all permissions added from all roles, with no permissions subtracted by a role; (2) permissions are conditioned on recurring data patterns, e.g. users are granted roles per-tenant, or users have permissions based on direct or indirect ownership of a record, or user A can delegate permissions to other users that are a subset of user A's permissions.

These would be data-driven approaches to ability files: rules that can't be coded in advance, but are applied dynamically at run time based on user enabled / disabled status; user membership in tenants; permissions granted to tenant-specific roles; etc.

Just wondering if there are example of this approach.

Possible implementation(s)

If there aren't examples of this, I could probably provide them.

Additional context

Nice v1 tool.

[webdeb]

If there aren't examples of this, I could probably provide them.

That would be cool 👍

[ntgussoni]

Hi @chrisj-back2work, first of all sorry I took 6 months to reply. I didn't see this issue until @webdeb wrote.

There's nothing stopping you from querying a database or doing anything else inside each rule.

For example,

 can("delete", "comment", async (_args) => {
        return (await db.comment.count({ where: { userId: ctx.session.userId } })) === 1
      })

Note that _args are the same args received in your queries or mutations (it's important to type it properly to avoid issues. If you need to access the session you have ctx available.

I'm not sure if this replies to your question, (you probably solved it by now) but if you have more examples I haven't thought about please let me know