Authorize easily.
CanCan provides a simple API for handling authorization of actions.
Permissions are defined and validated using simple allow() and can() functions respectively.
CanCan is inspired by Ryan Bates' cancan.
Installation
$ npm install --save cancan
Usage
const CanCan = require('cancan');
const cancan = new CanCan();
const {allow, can} = cancan;
class User {}
class Product {}
allow(User, 'view', Product);
const user = new User();
const product = new Product();
can(user, 'view', product);
//=> true
can(user, 'edit', product);
//=> falseAPI
allow(model, action, target, [condition])
Adds a new access rule.
model
Type: class (function)
Configure the rule for instances of this class.
action
Type: array|string
Name(s) of actions to allow.
If action name is manage, it allows any action.
target
Type: array|class|string
Scope this rule to the instances of this class.
If value is "all", rule applies to all models.
condition
Type: object|function
Optional callback to apply additional checks on both target and action performers.
Examples:
// allow users to view all public posts
allow(User, 'view', Post, {public: true});
// allow users to edit and delete their posts
allow(User, ['edit', 'delete'], Post, (user, post) => post.authorId === user.id);
// allow editors to do anything with all posts
allow(Editor, 'manage', Post);
// allow admins to do anything with everything
allow(AdminUser, 'manage', 'all');can(instance, action, target)
Checks if the action is possible on target by instance.
instance
Type: object
Instance that wants to perform the action.
action
Type: string
Action name.
target
Type: object
Target against which the action would be performed.
Examples:
const user = new User();
const post = new Post();
can(user, 'view', post);cannot(instance, action, target)
Inverse of .can().
authorize(instance, action, target)
Same as .can(), but throws an error instead of returning false.
License
MIT © Vadim Demedes