CASL (pronounced /ˈkæsəl/, like castle) is an isomorphic authorization JavaScript library which restricts what resources a given user is allowed to access. All permissions are defined in a single location (the Ability
class) and not duplicated across UI components, API services, and database queries.
Heavily inspired by cancan.
- supports MongoDB like conditions (
$eq
,$ne
,$in
,$all
,$gt
,$lt
,$gte
,$lte
,$exists
,$regex
,$elemMatch
, field dot notation) - supports direct and inverted rules (i.e.,
can
&cannot
) - provides ES6 build, so you are able to shake out unused functionality
- provides easy integration with popular frontend frameworks
- provides easy integration with mongoose and MongoDB
- serializable rules which can be stored or cached in JWT token or any other storage
CASL can be used together with any data layer, any HTTP framework and even any frontend framework because of its isomorphic nature. Also, it doesn't force you to choose a database (however currently is the best integrated with MongoDB). See the examples for details.
CASL concentrates all attention at what a user can actually do and allows to create abilities in DSL style. Lets see how
Lets define Ability
for a blog website where visitors:
- can read everything.
- can manage (i.e., create, update, delete, read) posts which were created by them
- cannot delete post if it has at least 1 comment
import { AbilityBuilder } from '@casl/ability'
const ability = AbilityBuilder.define((can, cannot) => {
can('read', 'all')
can('manage', 'Post', { author: loggedInUser.id })
cannot('delete', 'Post', { 'comments.0': { $exists: true } })
})
Yes, you can use some operators from MongoDB query language to define conditions for your abilities. See Defining Abilities for details. It's also possible to store CASL abilities in a database.
Later on you can check abilities by using can
and cannot
.
class Post {
constructor(props) {
Object.assign(this, props)
}
}
// true if ability allows to read at least one Post
ability.can('read', 'Post')
// true if ability does not allow to read a post
const post = new Post({ title: 'What is CASL?' })
ability.cannot('read', post)
See Check Abilities for details.
CASL has a complementary package @casl/mongoose which provides easy integration with MongoDB database.
That package provides mongoose middleware which hides all boilerplate under convenient accessibleBy
method.
const { AbilityBuilder } = require('@casl/ability')
const { accessibleRecordsPlugin } = require('@casl/mongoose')
const mongoose = require('mongoose')
mongoose.plugin(accessibleRecordsPlugin)
const ability = AbilityBuilder.define(can => {
can('read', 'Post', { author: 'me' })
})
const Post = mongoose.model('Post', mongoose.Schema({
title: String,
author: String,
content: String,
createdAt: Date
}))
// by default it asks for `read` rules
// returns mongoose Query, so you can chain it with other conditions
Post.accessibleBy(ability).where({ createdAt: { $gt: Date.now() - 24 * 3600 } })
// also you can call it on existing query to enforce visibility.
// In this case it returns empty array because rules does not allow to read Posts of `someoneelse` author
Post.find({ author: 'someoneelse' }).accessibleBy(ability).exec()
See Database integration for details.
CASL is written in pure ES6 and has no dependencies on Node.js or other environments. That means you can use it on UI side. It may be useful if you need to show/hide some UI functionality based on what user can do in the application.
There are also complementary libraries for major frontend frameworks which makes integration of CASL super easy in your application. Pick the package for your application and protect it with the power of CASL:
- @casl/vue for Vue
- @casl/react for React
- @casl/angular for Angular 2+
- @casl/aurelia for Aurelia
A lot of useful information about CASL can be found in documentation (check sidebar on the right hand ;)!
Documentation for complementary packages can be found in respective README files:
- @casl/ability, here you can find docs about
@casl/ability/extra
helpers package. - @casl/vue
- @casl/react
- @casl/angular
- @casl/aurelia
- @casl/mongoose
Have a question?: ask it in gitter chat or on stackoverflow
There are several repositories which show how to integrate CASL in popular frontend and backend frameworks:
- CASL and Vue, CASL and Vuex
- CASL and React
- CASL and Aurelia
- CASL and Angular
- CASL and Expressjs
- CASL and Feathersjs
Want to file a bug, contribute some code, or improve documentation? Excellent! Read up on guidelines for contributing