This package allows to define CASL permissions on Prisma models using Prisma WhereInput
. And that brings a lot of power in terms of permission management in SQL world:
- We can use Prisma Query to define permissions, no need to learn MongoDB query language anymore.
- Additionally, we can ask our SQL database questions like: "Which records can be read?" or "Which records can be updated?".
npm install @casl/prisma @casl/ability
# or
yarn add @casl/prisma @casl/ability
# or
pnpm add @casl/prisma @casl/ability
This package is a bit different from all others because it provides a custom PrismaAbility
class that is configured to check permissions using Prisma WhereInput:
import { User, Post, Prisma } from '@prisma/client';
import { AbilityClass, AbilityBuilder, subject } from '@casl/ability';
import { PrismaAbility, Subjects } from '@casl/prisma';
type AppAbility = PrismaAbility<[string, Subjects<{
User: User,
Post: Post
}>]>;
const AppAbility = PrismaAbility as AbilityClass<AppAbility>;
const { can, cannot, build } = new AbilityBuilder(AppAbility);
can('read', 'Post', { authorId: 1 });
cannot('read', 'Post', { title: { startsWith: '[WIP]:' } });
const ability = build();
ability.can('read', 'Post');
ability.can('read', subject('Post', { title: '...', authorId: 1 })));
See CASL guide to learn how to define abilities. Everything is the same except of conditions language.
Because Prisma returns DTO objects without exposing any type information on it, we need to use subject
helper to provide that type manually, so CASL can understand what rules to apply to passed in object.
Unfortunately, there is no easy way to automate this, except of adding additional column to all models. For more details, check this issue.
To get more details about object type detection, please read CASL Subject type detection
@casl/prisma
uses ucast to interpret Prisma WhereInput in JavaScript runtime. However, there are few caveats:
- equality of JSON columns is not implemented
- equality of array/list columns is not implemented (however operators like
has
,hasSome
andhasEvery
should be more than enough) - when defining conditions on relation, always specify one of operators (
every
,none
,some
,is
orisNot
)
Interpreter throws a ParsingQueryError
in cases it receives invalid parameters for query operators or if some operation is not supported.
One nice feature of Prisma and CASL integration is that we can get all records from the database our user has access to. To do this, just use accessibleBy
helper function:
// ability is a PrismaAbility instance created in the example above
const accessiblePosts = await prisma.post.findMany({
where: accessibleBy(ability).Post
});
That function accepts PrismaAbility
instance and action
(defaults to read
), returns an object with keys that corresponds to Prisma model names and values being aggregated from permission rules WhereInput
objects.
Important: in case user doesn't have ability to access any posts, accessibleBy
throws ForbiddenError
, so be ready to catch it!
To combine this with business logic conditions, just use AND
:
const accessiblePosts = await prisma.post.findMany({
where: {
AND: [
accessibleBy(ability).Post,
{ /* business related conditions */ }
]
}
})
The package is written in TypeScript what provides comprehensive IDE hints and compile time validation.
Makes sure to call
prisma generate
.@casl/prisma
uses Prisma generated types, so if client is not generated nothing will work.
Additionally, there are several helpers that makes it easy to work with Prisma and CASL:
It's a generic type that provides Prisma.ModelWhereInput
in generic way. We need to pass inside a named model:
import { User } from '@prisma/client';
import { Model } from '@casl/prisma';
// almost the same as Prisma.UserWhereInput except that it's a higher order type
type UserWhereInput = PrismaQuery<Model<User, 'User'>>;
Just gives a name to a model. That name is stored using ForcedSubject<TName>
helper from @casl/ability
. To use a separate column or another strategy to name models, don't use this helper because it only works in combination with subject
helper.
Creates a union of all possible subjects out of passed in object:
import { User } from '@prisma/client';
import { Subjects } from '@casl/prisma';
type AppSubjects = Subjects<{
User: User
}>; // 'User' | Model<User, 'User'>
Want to file a bug, contribute some code, or improve documentation? Excellent! Read up on guidelines for contributing.
If you'd like to help us sustain our community and project, consider to become a financial contributor on Open Collective
See Support CASL for details