Comments (3)
Unfortunately it's not possible (at least I cant find a good way to do this). accessibleBy
throws ForbiddenError only in case it cannot generate where
. This means either there is no rules defined for that particular action/subject or rules defined in a way that it's possible to predict empty result set.
In order to narrow down, conditions I need to return back some where
conditions and this should be something like WHERE 1 != 1
, so we force underlying database engine to return empty result set (in this case SQL). But very likely prisma doesn't support this kind of query (at least it was true few versions ago).
In mongoose, there is a way to hook into query execution and return empty result or throw an error. If smth is possible in Prisma ecosystem (maybe with extensions), then potentially we can implement the same logic in Prisma
from casl.
In the past, casl-mongoose returned empty set in case user has no access to anything but later some people asked me to raise an exception instead.
The issue here is that in case of database query it's impossible to solve this issue, correct me if I'm wrong somewhere. Look at this scenarios:
Imagine we have a blog website where multiple authors can write articles and create drafts. Only draft author has access to own drafts.
Now we have these situations:
- database is empty and we fetch all drafts for particular author -> empty result set
- database has drafts of other authors but not the one who initiates request -> empty result set
- database has drafts for currently logged in user -> non-empty result set.
When in this situation should we throw an error? In non of this cases. Only when this user initiates request to fetch drafts of other users (not own) but this may be forbidden technically (e.g., by using /my/drafts
-> no way to fetch others drafts from API standpoint).
Potentially we could check that query somehow partially matched to allowed object will return allowed objects but even this doesn't give 100% guarantee whether user has access to smth or not. Because of queries like >
& <
, geolocation queries, LIKE
, REGEXP
, mongo allow to pass $where
expressions to conditions, how should we validate that smth potentially may be disallowed in that case? This brings a lot of complexity to casl and very likely will never be solved. In my opinion there is nothing bad to show empty result set or 404 instead of 403. Moreover it's even better because you do not disclose data in your db to potential hackers.
Imagine there is a resource in db and when smb access it without proper access, you return 403 -> this tells smth to the hacker:
- This (probably guessed) resource exists but it's protected by ACL
- This website has ACL, need to find out which one and try to crack it
When you return 404 instead, the hacker don't have these 2 points from the top ^^^ and for him now impossible to know whether this resource even exist. This is how github works, in case you access private repo, you will get 404 not 403. And from encapsulation and information hiding standpoint, this is nice.
from casl.
I found a way to return an empty list from db instead of throwing exception -> https://www.prisma.io/docs/concepts/components/prisma-client/null-and-undefined#the-effect-of-null-and-undefined-on-conditionals
Basically if there is { OR: [] }
, Prisma should return an empty result set.
from casl.
Related Issues (20)
- Overriding via provide in a plugin causes strange behavior in templates HOT 19
- Subjects and Scopes (I need help) HOT 1
- CASL HOT 2
- Have to use @ts-ignore while defining abilities, is something broken? HOT 1
- Missing $or operator HOT 1
- Implementing CASL on Front-End and Backend Use Case HOT 2
- Condition using $exists doesn't behave as expected HOT 3
- Prisma how to run other queries as findMany HOT 4
- @casl/angular AblePipe and AblePurePipe typing not working in Angular template HOT 2
- @casl/angular able and ablePure pipes are not working as exptected HOT 2
- Compatibility with Angular 17
- How to use accessibleFieldsBy without Mongoose (with basic Mondodb driver) HOT 3
- Add Support for Mongoose v8 in @casl/mongoose HOT 3
- @casl/[email protected] npm package is missing content HOT 3
- Error: Hydration failed because the initial UI does not match what was rendered on the server. HOT 2
- [not urgent] CLI Yarn warning: @casl/vue 1.x requests version lower than current 6.5.0 HOT 3
- cannot check ability if rules are loaded from database then we create ability using mongoCreateAbility HOT 9
- Extend Rule Checking Mechanism to Evaluate All Rules
- `rulesToQuery` should be generic over the return type of `RuleToQueryConverter` HOT 3
- Update ability JSON HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from casl.