Condition on Ability not working

Question

Condition on Ability not working

Closed this issue 3 years ago · 1 comments

I am using nest-casl library to implement authorization on my GraphQL API.

I set the permission as follows:

  // customers.permission.ts
  customer({ user, can }) {
    can(Actions.read, Customer, { id: user.id });
  }

And used the guard and ability as follows:

  // customers.service.ts
  @UseGuards(GqlAuthGuard, AccessGuard)
  @UseAbility(Actions.read, Customer)
  @Query(() => Customer, { name: 'getCustomerById' })
  async getCustomerById(
    @Args('id')
    id: string,
  ) {
    return await this.customersService.getCustomerById(id);
  }

But unfortunately, my customer can query other customers by their ID. This should not be happening, Can anyone help, please?

Answer 1 · 2022-08-30T21:07:11.000Z

you need to pull subject somehow, check https://github.com/getjerry/nest-casl#subject-hook for details