But, I feel that this is not scalable what If I made a typo while checking for permissions? For example, If I check permission using ability.can(read, 'add comments') then it will give me that User is not authorized. Also, If I change the name of my comment module to note then I have to change each and every permission. So, I left this option and then I tried to implement it using Entities. For Example. I created my ability using this (Here Post and Comment is an entity):
But, I am not sure about this method. In this method, I have multiple Issues
How can I add checks on the front end so that User1 Can see the Change Status and Add Comment buttons only on his own Posts?
On the backend, If there is any endpoint that is not using any entity
then how to Check for permissions for that endpoint for example, I
have an endpoint to retrieve some constants but only the admin is
allowed to read those constants.
On the backend, If I am using joins in my query and User1 does not
have permission to view the joined table then how to handle this?
On the backend, If I am changing multiple entities inside 1 endpoint
then I have to give permission for each entity to User1. That makes this Vulnerable.
I want to check If I am going in the right direction. Also, Is there any better solution for this?
Share permissions as is. Works well if backend and front end models are the same/similar
Check permissions on backend and return booleans or an array of permissions for every record in response if models are different or you want to encapsulate knowledge about how permissions are checked on backend
I am trying to implement shared CASL on front end and on the backend side (nestjs). I have multiple use cases:
User1 can View/read the Add comment Button on posts created by himself
First, I tried to use use-case based permissions for example I created my ability using this:
But, I feel that this is not scalable what If I made a typo while checking for permissions? For example, If I check permission using
ability.can(read, 'add comments')
then it will give me that User is not authorized. Also, If I change the name of mycomment
module tonote
then I have to change each and every permission. So, I left this option and then I tried to implement it using Entities. For Example. I created my ability using this (Here Post and Comment is an entity):But, I am not sure about this method. In this method, I have multiple Issues
Change Status
andAdd Comment
buttons only on his own Posts?admin
is allowed to read those constants.I want to check If I am going in the right direction. Also, Is there any better solution for this?
Any help would be appreciated.
Thanks