CASL is an isomorphic authorization JavaScript library which restricts what resources a given user is allowed to access

Overview

CASL logo

Financial Contributors on Open Collective build CASL codecov CASL Join the chat at https://gitter.im/stalniy-casl/casl

CASL (pronounced /ˈkæsəl/, like castle) is an isomorphic authorization JavaScript library which restricts what resources a given user is allowed to access. It's designed to be incrementally adoptable and can easily scale between a simple claim based and fully featured subject and attribute based authorization. It makes it easy to manage and share permissions across UI components, API services, and database queries.

Heavily inspired by cancan.

Features

  • Versatile
    An incrementally adoptable and can easily scale between a simple claim based and fully featured subject and attribute based authorization.
  • Isomorphic
    Can be used on frontend and backend and complementary packages make integration with major Frontend Frameworks and Backend ORMs effortless
  • TypeSafe
    Written in TypeScript, what makes your apps safer and developer experience more enjoyable
  • Tree shakable
    The core is only 4KB mingzipped and can be even smaller!
  • Declarative
    Thanks to declarative rules, you can serialize and share permissions between UI and API or microservices

Ecosystem

Project Status Description Supported envinronemnts
@casl/ability @casl/ability-status CASL's core package nodejs 8+ and ES5 compatible browsers (IE 9+)
@casl/mongoose @casl/mongoose-status integration with Mongoose nodejs 8+
@casl/angular @casl/angular-status integration with Angular IE 9+
@casl/react @casl/react-status integration with React IE 9+
@casl/vue @casl/vue-status integration with Vue IE 11+ (uses WeakMap)
@casl/aurelia @casl/aurelia-status integration with Aurelia IE 11+ (uses WeakMap)

Documentation

A lot of detailed information about CASL, integrations and examples can be found in documentation.

Have a question?

Ask it in chat or on stackoverflow. Please don't ask questions in issues, the issue list of this repo is exclusively for bug reports and feature requests. Questions in the issue list may be closed immediately without answers.

CASL crash course

CASL operates on the abilities level, that is what a user can actually do in the application. An ability itself depends on the 4 parameters (last 3 are optional):

  1. User Action
    Describes what user can actually do in the app. User action is a word (usually a verb) which depends on the business logic (e.g., prolong, read). Very often it will be a list of words from CRUD - create, read, update and delete.
  2. Subject
    The subject or subject type which you want to check user action on. Usually this is a business (or domain) entity name (e.g., Subscription, BlogPost, User).
  3. Conditions
    An object or function which restricts user action only to matched subjects. This is useful when you need to give a permission on resources created by a user (e.g., to allow user to update and delete own BlogPost)
  4. Fields
    Can be used to restrict user action only to matched subject's fields (e.g., to allow moderator to update hidden field of BlogPost but not update description or title)

Using CASL you can describe abilities using regular and inverted rules. Let's see how

Note: all the examples below will be written in TypeScript but CASL can be used in similar way in ES6+ and Nodejs environments.

1. Define Abilities

Lets define Ability for a blog website where visitors:

  • can read blog posts
  • can manage (i.e., do anything) own posts
  • cannot delete a post if it was created more than a day ago
import { AbilityBuilder, Ability } from '@casl/ability'
import { User } from '../models'; // application specific interfaces

/**
 * @param user contains details about logged in user: its id, name, email, etc
 */
function defineAbilitiesFor(user: User) {
  const { can, cannot, rules } = new AbilityBuilder(Ability);

  // can read blog posts
  can('read', 'BlogPost');
  // can manage (i.e., do anything) own posts
  can('manage', 'BlogPost', { author: user.id });
  // cannot delete a post if it was created more than a day ago
  cannot('delete', 'BlogPost', {
    createdAt: { $lt: Date.now() - 24 * 60 * 60 * 1000 }
  });

  return new Ability(rules);
});

Do you see how easily business requirements were translated into CASL's rules?

Note: you can use class instead of string as a subject type (e.g., can('read', BlogPost))

And yes, Ability class allow you to use some MongoDB operators to define conditions. Don't worry if you don't know MongoDB, it's not required and explained in details in Defining Abilities

2. Check Abilities

Later on you can check abilities by using can and cannot methods of Ability instance.

// in the same file as above
import { ForbiddenError } from '@casl/ability';

const user = getLoggedInUser(); // app specific function
const ability = defineAbilitiesFor(user);

class BlogPost { // business entity
  constructor(props) {
    Object.assign(this, props);
  }
}

// true if ability allows to read at least one Post
ability.can('read', 'BlogPost');
// the same as
ability.can('read', BlogPost);

// true, if user is the author of the blog post
ability.can('manage', new BlogPost({ author: user.id }));

// true if there is no ability to read this particular blog post
const ONE_DAY = 24 * 60 * 60 * 1000;
const postCreatedNow = new BlogPost({ createdAt: new Date() });
const postCreatedAWeekAgo = new BlogPost({ createdAt: new Date(Date.now() - 7 * ONE_DAY) });

// can delete if it's created less than a day ago
ability.can('delete', postCreatedNow); // true
ability.can('delete', postCreatedAWeekAgo); // false

// you can even throw an error if there is a missed ability
ForbiddenError.from(ability).throwUnlessCan('delete', postCreatedAWeekAgo);

Of course, you are not restricted to use only class instances in order to check permissions on objects. See Introduction for the detailed explanation.

3. Database integration

CASL has a complementary package @casl/mongoose which provides easy integration with MongoDB and mongoose.

import { AbilityBuilder } from '@casl/ability';
import { accessibleRecordsPlugin } from '@casl/mongoose';
import mongoose from 'mongoose';

mongoose.plugin(accessibleRecordsPlugin);

const user = getUserLoggedInUser(); // app specific function

const ability = defineAbilitiesFor(user);
const BlogPost = mongoose.model('BlogPost', mongoose.Schema({
  title: String,
  author: mongoose.Types.ObjectId,
  content: String,
  createdAt: Date,
  hidden: { type: Boolean, default: false }
}))

// returns mongoose Query, so you can chain it with other conditions
const posts = await BlogPost.accessibleBy(ability).where({ hidden: false });

// you can also call it on existing query to enforce permissions
const hiddenPosts = await BlogPost.find({ hidden: true }).accessibleBy(ability);

// you can even pass the action as a 2nd parameter. By default action is "read"
const updatablePosts = await BlogPost.accessibleBy(ability, 'update');

See Database integration for details.

4. Advanced usage

CASL is incrementally adoptable, that means you can start your project with simple claim (or action) based authorization and evolve it later, when your app functionality evolves.

CASL is composable, that means you can implement alternative conditions matching (e.g., based on joi, ajv or pure functions) and field matching (e.g., to support alternative syntax in fields like addresses.*.street or addresses[0].street) logic.

See Advanced usage for details.

5. Examples

Looking for examples? Check CASL examples repository.

Want to help?

Want to file a bug, contribute some code, or improve documentation? Excellent! Read up on guidelines for contributing.

If you'd like to help us sustain our community and project, consider to become a financial contributor on Open Collective

Contributors

Code Contributors

This project exists thanks to all the people who contribute. [Contribute].

Financial Contributors

Become a financial contributor and help us sustain our community. [Contribute]

Individuals

Organizations

Support this project with your organization. Your logo will show up here with a link to your website. [Contribute]

License

MIT License

Copyright (c) 2017-present, Sergii Stotskyi

Comments
  • Type safety of fields in conditions

    Type safety of fields in conditions

    Hello,

    I've just started using casl, so I might be doing (multiple) things wrong, but it seems that "can*" rules are not type safe.

    When I define rules such as the one below, the fields I'm using to express the MongoDB query are using any, meaning that if I refactor my code, I might break the rules.

    I've of course tested this code to alleviate this issue, but it would be awesome if casl could recognize the types and enforce type safety.

    • Casl version: 4.1.3

    Example:

    import { Ability, defineAbility, InferSubjects } from "@casl/ability";
    import { UserRoleInMeetingV1 } from "../user-role-in-meeting-v1.intf";
    import { MeetingStateV1 } from "../../../entities/meetings/meeting-state-v1.intf";
    import { assertUnreachable } from "@didowi/common-utils";
    
    export enum MeetingBaseActions {
      VIEW = "VIEW",
      EDIT_BASIC_INFO = "EDIT_BASIC_INFO",
      EDIT_STATE = "EDIT_STATE",
      REMOVE = "REMOVE",
    }
    
    export class MeetingBaseSubject {
      /**
       * Helps CASL to detect the subject type
       * Reference: https://stalniy.github.io/casl/v4/en/guide/subject-type-detection
       */
      static readonly modelName = "MeetingBaseSubject";
    
      constructor(readonly roles: UserRoleInMeetingV1[]) {}
    }
    
    /**
     * Subjects can either be the type (when defining a rule) or an object of that type (when checking)
     */
    export type MeetingBaseSubjects = InferSubjects<typeof MeetingBaseSubject>;
    
    /**
     * The ability is the combination of possible actions and subjects
     */
    export type MeetingBaseAbility = Ability<[MeetingBaseActions, MeetingBaseSubjects]>;
    
    /**
     * Define the abilities for base
     * @param meetingState the meeting state to define abilities for
     */
    export function defineAbilitiesForMeetingBase(meetingState: Readonly<MeetingStateV1>): MeetingBaseAbility {
      return defineAbility((can) => {
        switch (meetingState) {
          case MeetingStateV1.DRAFT:
            can(MeetingBaseActions.VIEW, MeetingBaseSubject, { roles: { $in: [UserRoleInMeetingV1.OWNER] } });
            can(MeetingBaseActions.EDIT_BASIC_INFO, MeetingBaseSubject, { roles: { $in: [UserRoleInMeetingV1.OWNER] } });
            can(MeetingBaseActions.EDIT_STATE, MeetingBaseSubject, { roles: { $in: [UserRoleInMeetingV1.OWNER] } });
            can(MeetingBaseActions.REMOVE, MeetingBaseSubject, { roles: { $in: [UserRoleInMeetingV1.OWNER] } });
            break;
          case MeetingStateV1.DELETED:
            // Noone can do anything
            break;
          case MeetingStateV1.CANCELLED:
            can(MeetingBaseActions.VIEW, MeetingBaseSubject, {
              roles: {
                $in: [
                  UserRoleInMeetingV1.OWNER,
                  UserRoleInMeetingV1.CATEGORY_MEMBER,
                  UserRoleInMeetingV1.PARTICIPANT,
                  UserRoleInMeetingV1.TIMEKEEPER,
                  UserRoleInMeetingV1.SCRIBE,
                ],
              },
            });
            break;
          case MeetingStateV1.PLANNED:
            can(MeetingBaseActions.VIEW, MeetingBaseSubject, {
              roles: {
                $in: [
                  UserRoleInMeetingV1.OWNER,
                  UserRoleInMeetingV1.CATEGORY_MEMBER,
                  UserRoleInMeetingV1.PARTICIPANT,
                  UserRoleInMeetingV1.TIMEKEEPER,
                  UserRoleInMeetingV1.SCRIBE,
                ],
              },
            });
            can(MeetingBaseActions.EDIT_BASIC_INFO, MeetingBaseSubject, {
              roles: { $in: [UserRoleInMeetingV1.OWNER, UserRoleInMeetingV1.SCRIBE] },
            });
            can(MeetingBaseActions.EDIT_STATE, MeetingBaseSubject, {
              roles: { $in: [UserRoleInMeetingV1.OWNER, UserRoleInMeetingV1.SCRIBE, UserRoleInMeetingV1.TIMEKEEPER] },
            });
            break;
          default:
            assertUnreachable(meetingState);
        }
      });
    }
    
    

    By the way, I wanted to use the abilityBuilder to define those rules, but for some reason that eludes me, it never worked and I'm not too sure why. It was as if the subjects were not recoginized although I had the same base setup. I'm not sure I understand the docs about it..

    enhancement breaking change 
    opened by dsebastien 31
  • Casl/mongoose and official mongoose types

    Casl/mongoose and official mongoose types

    Hey @stalniy, thank you for your awesome work on this project. I just got started using the casl library for permission management and I really love it so far, but there's one small issue I wasn't able to fix:

    Describe the bug I am using the @casl/ability and the @casl/mongoose package to manage database permissions within nodejs. My code runs just fine but as soon as I want to compile my typescript project using tsc, it just errors out.

    To Reproduce Steps to reproduce the behavior: I've created src/test.ts within my current project with the following content:

    import { accessibleRecordsPlugin } from '@casl/mongoose';
    import * as mongoose from 'mongoose';
    
    mongoose.plugin(accessibleRecordsPlugin);
    

    Expected behavior Running npx tsc src/test.ts should just compile the ts file. Instead, I get the following error message:

    npx tsc src/test.ts 
    node_modules/@casl/mongoose/dist/types/accessible_records.d.ts:3:18 - error TS2305: Module '"mongoose"' has no exported member 'DocumentQuery'.
    
    3 import { Schema, DocumentQuery, Model, Document } from 'mongoose';
                       ~~~~~~~~~~~~~
    
    node_modules/@casl/mongoose/dist/types/accessible_records.d.ts:6:76 - error TS2314: Generic type 'Model<T>' requires 1 type argument(s).
    
    6 export interface AccessibleRecordModel<T extends Document, K = {}> extends Model<T, K & {
                                                                                 ~~~~~~~~~~~~~~
    7     accessibleBy: GetAccessibleRecords<T>;
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    8 }> {
    

    CASL Version

    @casl/ability - v 5.1.2 @casl/mongoose - v 3.2.2

    Environment:

    Fedora 33, Node 14.15.1 mongoose - v 5.11.11 typescript -v 4.1.3

    enhancement 
    opened by p-fruck 25
  • Request for TypeORM

    Request for TypeORM

    I really like your casl library and want to use it in my project. I'm using TypeORM with Postgres. I'm not sure how use it for filtering data from database (rows and columns) based on casl rules. Are you going to implement such plugin?

    wontfix 
    opened by Herr-Mefisto 23
  • Race condition in unsubcription of useEffect in useAbility

    Race condition in unsubcription of useEffect in useAbility

    Describe the bug

    Sporadically I get the following error from useAbility:

    react_devtools_backend.js:2842 Warning: Can't perform a React state update on an unmounted component. This is a no-op, but it indicates a memory leak in your application. To fix, cancel all subscriptions and asynchronous tasks in a useEffect cleanup function.
        at Inner (https://localhost:3000/src/components/Control.tsx?t=1628859377104:22:3)
        at UiPathContextProvider (https://localhost:3000/src/contexts/UiPathContextProvider.tsx:19:3)
        at div
        at Control (https://localhost:3000/src/components/Control.tsx?t=1628859377104:43:3)
        at InfoField (https://localhost:3000/src/components/numeric/InfoField.tsx?t=1628859377104:22:3)
        at EmptyField
        at Loading (https://localhost:3000/src/components/RenderTag.tsx?t=1628859377104:41:3)
    

    To Reproduce

    When I trigger an ability change via an AbilityContext upstream in the UI tree, every 5 to 10 re-renders the error occurs. useAbility is used by a primitive UI control wrapper component used a lot in my project ( I use CASL ability for controlling write access, which re-renders UI controls to a read-only state when use level is not high enough).

    Expected behavior No race condition

    Interactive example (optional, but highly desirable) I have a large hierarchy and large parts of the UI tree gets sometimes unmounted as a response of an ability change. So it is really difficult to reproduce this error in a minimal project.

    As an alternative I tried already a bug fix which seems to work. I replace the original implementation of the useAbility:

    import React from 'react';
    import { AnyAbility } from '@casl/ability';
    
    export function useAbility<T extends AnyAbility>(context: React.Context<T>): T {
      if (process.env.NODE_ENV !== 'production' && typeof React.useContext !== 'function') {
        /* istanbul ignore next */
        throw new Error('You must use React >= 16.8 in order to use useAbility()');
      }
    
      const ability = React.useContext<T>(context);
      const [rules, setRules] = React.useState<T['rules']>();
    
      React.useEffect(() => ability.on('updated', (event) => {
        if (event.rules !== rules) {
          setRules(event.rules);
        }
      }), []);
    
      return ability;
    }
    

    with this:

    import { AnyAbility } from '@casl/ability';
    import React, { useContext, useEffect, useRef, useState } from 'react';
    
    function useAbility<T extends AnyAbility>(context: React.Context<T>): T {
      if (process.env.NODE_ENV !== 'production' && typeof useContext !== 'function') {
        /* istanbul ignore next */
        throw new Error('You must use React >= 16.8 in order to use useAbility()');
      }
    
      const ability = useContext<T>(context);
      const [rules, setRules] = useState<T['rules']>();
      const subscribed = useRef(false);
    
      useEffect(() => {
        const unsubscribe = ability.on('updated', event => {
          if (subscribed.current && event.rules !== rules) {
            setRules(event.rules);
          }
        });
        subscribed.current = true;
        return function () {
          subscribed.current = false;
          unsubscribe();
        };
      }, [ability, rules]);
    
      return ability;
    }
    
    export default useAbility;
    

    Basically I currently suspect the race condition somewhere inside the unsubscribe function returned from ability.on and just don't call setRules (which triggers a setState and the bug) anymore as soon as the component is unmounted.

    This fixes the racing condition 100%

    CASL Version "@casl/ability": "^5.4.0", "@casl/react": "^2.3.0",

    Environment: NodeJS on Windows, newest Chrome

    bug casl/ability casl/react 
    opened by gunters63 22
  • Abilities don't behave the way I expected from the docs

    Abilities don't behave the way I expected from the docs

    Hey @stalniy, First of all, thank you for the great library. I've been going through the docs and, no matter what, I can't make the rules work as I would like to.

    Describe the bug

    My goal is to define a set of abilities so that we can only access a Person with id = 2. Therefore:

    • I shouldn't be able to access a Person with an ID != 2
    • I shouldn't be able to access a Person without specifying an ID

    To Reproduce

    Minimal example to reproduce:

    import { Ability, InferSubjects, AbilityBuilder, subject } from "@casl/ability";
    
    export type Actions = "create" | "read" | "update" | "delete";
    
    interface Person {
      id: number;
    }
    
    export type SubjectTypes = Person | "Person";
    export type Subjects = InferSubjects<SubjectTypes>;
    export type MyAbility = Ability<[Actions, Subjects]>;
    
    const getAbilities = (): MyAbility => {
      const { can, cannot, build } = new AbilityBuilder<MyAbility>();
      can("read", "Person", { id: { $in: [ 2 ] } })
      return build()
    }
    
    const abilities = getAbilities()
    console.log(abilities.can("read", "Person"))
    console.log(abilities.can("read", subject("Person", {id: 1})))
    console.log(abilities.can("read", subject("Person", {id: 2})))
    

    Expected behavior I would expect to get: -> console.log(abilities.can("read", "Person")) -> False (because I should only be able to access Person with ID = 2) -> console.log(abilities.can("read", subject("Person", {id: 1}))) -> False -> console.log(abilities.can("read", subject("Person", {id: 2}))) -> True

    What I get instead is true to all the conditions.

    I also tried using defineAbility instead:

    const abilities = defineAbility((can) => {
      can("read", "Person", { id: { $in: [2] } });
    });
    

    and in that case, I get: -> console.log(abilities.can("read", "Person")) -> True (shouldn't it be false?) -> console.log(abilities.can("read", subject("Person", {id: 1}))) -> False Ok -> console.log(abilities.can("read", subject("Person", {id: 2}))) -> True Ok

    Interactive example

    https://codesandbox.io/s/modern-breeze-q5ue1?file=/src/index.ts

    CASL Version

    @casl/ability - v 4.1.6

    Environment:

    Windows 10, Node JS: v12.16.1

    Do you have any idea why I'm facing these problems? Thank you for your time

    bug status: invalid 
    opened by federico-terzi 22
  • @casl/vue - Vue 3 support

    @casl/vue - Vue 3 support

    Is your feature request related to a problem? Please describe. Our team is migrating our projects to Vue 3 and I would like to migrate @casl/vue to Vue 3 as well 😁.

    Describe the solution you'd like There aren't many changes that would need to be made, but they would break backwards compatibility:

    I'm thinking that we might need to create a new branch to support Vue 3 and maintain compatibility with Vue 2 and am open to ideas about how the project would best support this change.

    enhancement casl/vue breaking change released 
    opened by rak-phillip 22
  • Mongoose type

    Mongoose type "accessibleBy" returns an array of document after findOne

    Model.accessibleBy from @casl/mongoose returns an array of document which makes it hard to deal with with operations such as findById and following:

            type CatDocument = Cat & Document
    
     	getById(id: MongooseTypes.ObjectId, ability: Ability): Promise<CatDocument> 
    		return this.catModel
    			.findById(id)
    			.accessibleBy(ability, Action.Read)
                            // function return type now needs to be Promise<CatDocument[]>
    			.exec()
    	}
    

    Update operations after find one (is there a better way to check ability before update?) trigger an error since it expects an array:

    	async update(payload: UpdateCatInput, ability: Ability) {
    		const doc = await this.catModel
    			.findById(payload.id)
    			.accessibleBy(ability, Action.Update)
    			.exec()
    
    		if (doc) return doc.set(payload).save() 
                    // Error : Property 'set' does not exist on type '(Cat & Document<any, any, any> & { _id: ObjectId; })[]'
    	}
    
    opened by gterras 21
  • Rule with class and conditions doesn't work

    Rule with class and conditions doesn't work

    First at all, sorry if I forgot something.

    Describe the bug When I define rules using a class name in typescript, in that rules where there are some condition always return false.

    To Reproduce

    I have these classes User and Post

    enum Role {
      ADMIN = 'admin',
      USER = 'user'
    }
    
    class User {
      id: number;
      login: string;
      role: Role;
    }
    
    class Post {
      title: string;
      text: string;
      authrorId: number;
    }
    

    I define the rules in a static class method called createForUser as follow:

    enum Action {
      MANAGE = 'manage',
      CREATE = 'create',
      READ = 'read',
      UPDATE = 'update',
      DELETE = 'delete'
    }
    
    type Subjects = typeof Post | typeof User | Post | User | 'all';
    type AppAbility = Ability<[Action, Subjects}>;
    
    class CaslAbilityFactory {
      static createForUser(user: User) {
        cosnt { can, cannot, build } = new AbilityBuilder<AppAbility>(Ability as AbilityClass<AppAbility>);
        if (user.role === Role.ADMIN) {
          can(Action.MANAGE, 'all');
        } else {
          can(Action.READ, Post);
          cannot(Action.DELETE, Post);
        }
        can(Action.UPDATE, Post, { authorId: user.id });
        return build();
      }
    }
    

    When I check the ability of READ a post, with a user with Role USER, it works as expected. The problem is when I check to update a post as follow:

    const user: User = new User();
    user.id = 1;
    user.login = 'user01';
    user.role = Role.USER;
    
    const post: Post = new Post();
    post.title = "Dummy post";
    post.text = "Something interesting";
    post.authorId = user.id;
    
    const ability = CaslAbilityFactory.createForUser(user);
    console.log(ability.can(Action.READ, Post));  // ---> Prints true and expected true.
    console.log(ability.can(Action.UPDATE, post));  // ---> Prints false, but expected true
    

    But if we add 'Post' to the type Subjects and change Post for 'Post' as following:

    type Subjects = typeof Post | typeof User | Post | User | 'Post' | 'all';
    
    class CaslAbilityFactory {
      ...
      
      can(Action.UPDATE, 'Post', { authorId: user.id });
      ...
      return build();
    }
    
    console.log(ability.can(Action.READ, Post));  // ---> Prints true and expected true.
    console.log(ability.can(Action.UPDATE, post));  // ---> Now prints true and expected true
    

    I tried too of downgrade @casl/ability to version 4.1.6 and the first code (using Post in the rule specification) works as expected.

    Interactive example Here is a link to the interactive example in codesandobx. https://codesandbox.io/s/casl-bug-3txfo?file=/src/index.ts

    CASL Version @casl/ability - 5.1.1

    Environment: node - 12.18.4 typescript - 4.1.3

    bug 
    opened by davidgpgr94 21
  • Documentation: add SQL support via objection-authorize

    Documentation: add SQL support via objection-authorize

    Hi! I am a daily user of casl and over the past few years I've been using casl along with objection-authorize (a library that I've also been building for the past few years) to integrate casl in both the frontend and the backend isomorphically, and perhaps more importantly, ACTUALLY use the casl ACLs to filter/check SQL queries!

    I understand that #8 is asking for Sequelize support, but it doesn't lend itself to plugin support very neatly, and I'm a personal advocate of Objection.js (the SQL ORM of choice), and perhaps most importantly, it's ALREADY proven to be working (see https://github.com/JaneJeon/blink for an example, especially under policies/ and models/ directory).

    https://github.com/JaneJeon/objection-authorize has a full battery of tests that have been expanding over the years, and at this point I feel that it's "battle-tested" enough to recommend to the general public. So I'd appreciate it if you could add objection-authorize as an adapter for people using SQL + CASL, under the "Official Packages" in the documentation.

    My hope is that with my library, people who're looking for SQL support don't have to overlook CASL because of the lack of support for SQL ORMs (and vice versa).

    Thanks!

    question 
    opened by JaneJeon 20
  • Add vue directive

    Add vue directive

    Hi,

    It would be really nice if we could do something like

    <div v-can="deleteSomething">Delete something</div>
    

    Update:

    Requirements:

    • [ ] create a separate Vue plugin (e.g., AbilityDirectives)
    • [ ] this plugin should provide global directive v-can
    • [ ] directive should work similar to v-if (i.e., remove/insert DOM nodes when condition changes)
    • [ ] an array as argument to directive v-can="[action, subject, field]" (e.g., v-can="['read', post, 'title']")
    • [ ] arguments as directive arguments v-can.action.field.of="subject", .of is optional, just for readability (e.g., v-can.read.title.of="post", v-can.read="post")
    • [ ] arguments as directive arguments for class checks v-can.action.field.of.subject, .of is optional, just for readability (e.g., v-can.read.title.of.Post, v-can.read.Post)
    casl/vue 
    opened by shadoWalker89 20
  • Feature Request: Checking fields for complex types

    Feature Request: Checking fields for complex types

    Hi! I'm curious if anyone has dealt with restricting access to complex fields, or would be interested in a PR that solves for that. I have a schema that looks like:

    new mongoose.Schema({
      children: [{
        childField1: String,
        childField2: String,
      }]
    });
    

    and I want to be able to restrict access to only childField1:

    // definition
    can('update', Model, ['children.childField1'])
    
    // check
    abilities.can('update', instance, 'children.0.childField1')
    

    This would let me loop through instance.modifiedPaths and check that each path is updatable.

    instance.modifiedPaths().forEach(path => {
      this._abilities.throwUnlessCan('update', instance, path);
    });
    

    Is this something others have dealt with?

    I was thinking about writing a PR that does something like this:

    import mongoose from 'mongoose';
    import casl from '@casl/ability';
    const { AbilityBuilder, Ability } = casl;
    
    export const testSchema = new mongoose.Schema({
      objectField: {
        childField1: String,
        childField2: String,
      },
      arrayField: [
        {
          basicField: String,
          objectField: {
            childField1: String,
            childField2: String,
          },
        },
      ],
    });
    
    const Model = mongoose.model('Test', testSchema);
    
    const test = new Model({
      objectField: {
        childField1: 'value',
        childField2: 'value',
      },
      arrayField: [String],
      complexField: [
        {
          basicField: 'value',
          otherBasicField: 'value',
          objectField: {
            childField1: 'value',
            childField2: 'value',
          },
          arrayField: [String],
        },
      ],
    });
    
    let abilities;
    
    // If you can access an object, you can access all its children.
    abilities = AbilityBuilder.define((can, cannot) => {
      can('read', Model, ['objectField']);
    });
    console.info(abilities.can('read', test, 'objectField')); // true
    console.info(abilities.can('read', test, 'objectField.childField1')); // true
    console.info(abilities.can('read', test, 'objectField.childField2')); // true
    
    // If you can access a child, you can access the parent, but not siblings.
    abilities = AbilityBuilder.define((can, cannot) => {
      can('read', Model, ['objectField.childField1']);
    });
    console.info(abilities.can('read', test, 'objectField')); // true
    console.info(abilities.can('read', test, 'objectField.childField1')); // true
    console.info(abilities.can('read', test, 'objectField.childField2')); // false
    
    // If you can access an array, you can access any member of the array.
    abilities = AbilityBuilder.define((can, cannot) => {
      can('read', Model, ['arrayField']);
    });
    console.info(abilities.can('read', test, 'arrayField')); // true
    console.info(abilities.can('read', test, 'arrayField.0')); // true
    console.info(abilities.can('read', test, 'arrayField.1')); // true
    
    // If you can access a child of an array, you can access the array or any member of the array,
    // but only the specified children.
    abilities = AbilityBuilder.define((can, cannot) => {
      can('read', Model, [
        'complexField.basicField',
        'complexField.objectField.childField2'
        'complexField.objectField.arrayField'
        ]);
    });
    console.info(abilities.can('read', test, 'complexField')); // true
    console.info(abilities.can('read', test, 'complexField.0')); // true
    console.info(abilities.can('read', test, 'complexField.0.basicField')); // true
    console.info(abilities.can('read', test, 'complexField.0.otherBasicField')); // false
    console.info(abilities.can('read', test, 'complexField.0.objectField')); // true
    console.info(abilities.can('read', test, 'complexField.0.objectField.childField1')); // false
    console.info(abilities.can('read', test, 'complexField.0.objectField.childField2')); // true
    console.info(abilities.can('read', test, 'complexField.0.arrayField')); // true
    console.info(abilities.can('read', test, 'complexField.0.arrayField.0')); // true
    

    Any interest, or does it just add too much complexity for an uncommon requirement?

    opened by dlerman2 18
  • chore(deps): lock file maintenance

    chore(deps): lock file maintenance

    Mend Renovate

    This PR contains the following updates:

    | Update | Change | |---|---| | lockFileMaintenance | All locks refreshed |

    🔧 This Pull Request updates lock files to use the latest dependency versions.


    Configuration

    📅 Schedule: Branch creation - "before 5am on monday" (UTC), Automerge - At any time (no schedule defined).

    🚦 Automerge: Enabled.

    Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

    👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


    • [ ] If you want to rebase/retry this PR, check this box

    This PR has been generated by Mend Renovate. View repository job log here.

    opened by renovate[bot] 1
  • fix(deps): update dependency rollup to v3

    fix(deps): update dependency rollup to v3

    Mend Renovate

    This PR contains the following updates:

    | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | rollup (source) | ^2.47.0 -> ^3.0.0 | age | adoption | passing | confidence |


    Release Notes

    rollup/rollup

    v3.9.0

    Compare Source

    2022-12-28

    Features
    • Support ES2022 arbitrary module namespace identifiers (#​4770)
    • Add optional version property to plugin type (#​4771)
    Pull Requests

    v3.8.1

    Compare Source

    2022-12-23

    Bug Fixes
    • Reduce memory footprint when explicitly passing cache: false (#​4762)
    • Fix a crash when preserving modules and reexporting namespaces (#​4766)
    Pull Requests

    v3.8.0

    Compare Source

    2022-12-22

    Features
    • Deduplicate ESM exports and reexports when preserving modules (#​4759)
    Bug Fixes
    • Handle files that are emitted as a side effect of the manualChunks option (#​4759)
    Pull Requests

    v3.7.5

    Compare Source

    2022-12-17

    Bug Fixes
    • Avoid name shadowing when default exporting a class that matches the name of another class (#​4756)
    • Do not display the error message both in a separate line and in the stack trace in rollup CLI (#​4749)
    • Make type of RollupWarning.cause compatible with Error.cause (#​4757)
    • Do not swallow side effects when interacting with modules namespaces nested in another object (#​4758)
    Pull Requests

    v3.7.4

    Compare Source

    2022-12-13

    Bug Fixes
    • Do not remove calls to .exec and .test for included stateful regular expressions (#​4742)
    Pull Requests

    v3.7.3

    Compare Source

    2022-12-11

    Bug Fixes
    • Ensure this.getFileName no longer returns a placeholder as soon as hash placeholders have been resolved (#​4747)
    Pull Requests

    v3.7.2

    Compare Source

    2022-12-10

    Bug Fixes
    • Improve chunk generation performance when one module is dynamically imported by many other modules (#​4736)
    Pull Requests

    v3.7.1

    Compare Source

    2022-12-09

    Bug Fixes
    Pull Requests

    v3.7.0

    Compare Source

    2022-12-08

    Features
    • Do not treat .test and .exec on regular expressions as side effects (#​4737)
    Pull Requests

    v3.6.0

    Compare Source

    2022-12-05

    Features
    • extend this.getModuleInfo with information about exports (#​4731)
    Pull Requests

    v3.5.1

    Compare Source

    2022-12-01

    Bug Fixes
    • Accept functions returning a config in defineConfig (#​4728)
    Pull Requests
    • #​4728: Overload defineConfig to accept a RollupOptionsFunction parameter (@​Septh)

    v3.5.0

    Compare Source

    2022-11-27

    Features
    • Add treeshake.manualPureFunctions to override static analysis for explicit function names (#​4718)
    Bug Fixes
    • Do not throw when a plugin uses this.load without awaiting its result (#​4725)
    Pull Requests

    v3.4.0

    Compare Source

    2022-11-22

    Features
    • Do not keep unused Object.freeze calls on object literals (#​4720)
    Pull Requests

    v3.3.0

    Compare Source

    2022-11-12

    Features
    • Add "experimentalMinChunkSize" option to merge smaller chunks into larger ones (#​4705)
    • Automatically deduplicate assets again when the source is a Buffer (#​4712)
    • Deduplicate Buffer with string assets (#​4712)
    Bug Fixes
    • Support plugins with object hooks when using perf: true (#​4707)
    Pull Requests

    v3.2.5

    Compare Source

    2022-11-01

    Bug Fixes
    • We deconflicting classes, ensure the original class name still does not shadow variables (#​4697)
    Pull Requests

    v3.2.4

    Compare Source

    2022-10-31

    Bug Fixes
    • Always use forward slashes in chunk ids when preserving modules, even on Windows (#​4693)
    • Escape problematic characters in ids when rewriting import.meta.url (#​4693)
    Pull Requests

    v3.2.3

    Compare Source

    2022-10-18

    Bug Fixes
    • Fix an issue whre Rollup confused new.target with import.meta (#​4679)
    • Ensure that Rollup does not make assumptions about the value of unknown namespace import members (#​4684)
    Pull Requests

    v3.2.2

    Compare Source

    2022-10-16

    Bug Fixes
    • Do not hang/crash on hashbang comments in input modules (#​4676)
    Pull Requests

    v3.2.1

    Compare Source

    2022-10-16

    Bug Fixes
    • Rewrite class declarations to preserve their .name property if necessary (#​4674)
    Pull Requests

    v3.2.0

    Compare Source

    2022-10-15

    Features
    • Support providing Promises as plugins like Vite (#​4671)
    Pull Requests

    v3.1.0

    Compare Source

    2022-10-12

    Features
    • Support using arrays of plugins as plugins like Vite (#​4657)
    Pull Requests

    v3.0.1

    Compare Source

    2022-10-12

    Bug Fixes
    • Fix installation on Windows (#​4662)
    • Avoid missing parameters that are only used in a destructuring initializer (#​4663)
    Pull Requests

    v3.0.0

    Compare Source

    2022-10-11

    Breaking Changes
    General Changes
    • Rollup now requires at least Node 14.18.0 to run (#​4548 and #​4596)
    • The browser build has been split into a separate package @rollup/browser (#​4593)
    • The node build uses the node: prefix for imports of builtin modules (#​4596)
    • Some previously deprecated features have been removed (#​4552):
      • Some plugin context functions have been removed:
        • this.emitAsset(): use this.emitFile()
        • this.emitChunk(): use this.emitFile()
        • this.getAssetFileName(): use this.getFileName()
        • this.getChunkFileName(): use this.getFileName()
        • this.isExternal(): use this.resolve()
        • this.resolveId(): use this.resolve()
      • The resolveAssetUrl plugin hook has been removed: use resolveFileUrl
      • Rollup no longer passes assetReferenceId or chunkReferenceId parameters to resolveFileUrl
      • The treeshake.pureExternalModules option has been removed: use treeshake.moduleSideEffects: 'no-external'
      • You may no longer use true or false for output.interop. As a replacement for true, you can use "compat"
      • Emitted assets no longer have an isAsset flag in the bundle
      • Rollup will no longer fix assets added directly to the bundle by adding the type: "asset" field
    • Some features that were previously marked for deprecation now show warnings when used (#​4552):
      • Some options have been deprecated:
        • inlineDynamicImports as part of the input options: use output. inlineDynamicImports
        • manualChunks as part of the input options: use output. manualChunks
        • maxParallelFileReads: use `maxParallelFileOps
        • output.preferConst: use output.generatedCode.constBindings
        • output.dynamicImportFunction: use the renderDynamicImport plugin hook
        • output.namespaceToStringTag: use output.generatedCode.symbols
        • preserveModules as part of the input options: use output. preserveModules
      • You should no longer access this.moduleIds in plugins: use this.getModuleIds()
      • You should no longer access this.getModuleInfo(...).hasModuleSideEffects in plugins: use this.getModuleInfo(...).moduleSideEffects
    • Configuration files are only bundled if either the --configPlugin or the --bundleConfigAsCjs options are used. The configuration is bundled to an ES module unless the --bundleConfigAsCjs option is used. In all other cases, configuration is now loaded using Node's native mechanisms (#​4574 and #​4621)
    • The properties attached to some errors have been changed so that there are fewer different possible properties with consistent types (#​4579)
    • Some errors have been replaced by others (ILLEGAL_NAMESPACE_REASSIGNMENT -> ILLEGAL_REASSIGNMENT, NON_EXISTENT_EXPORT -> MISSING_EXPORT) (#​4579)
    • Files in rollup/dist/* can only be required using their file extension (#​4581)
    • The loadConfigFile helper now has a named export of the same name instead of a default export (#​4581)
    • When using the API and sourcemaps, sourcemap comments are contained in the emitted files and sourcemaps are emitted as regular assets (#​4605)
    • Watch mode no longer uses Node's EventEmitter but a custom implementation that awaits Promises returned from event handlers (#​4609)
    • Assets may only be deduplicated with previously emitted assets if their source is a string (#​4644)
    • By default, Rollup will keep external dynamic imports as import(…) in commonjs output unless output.dynamicImportInCjs is set to false (#​4647)
    Changes to Rollup Options
    • As functions passed to output.banner/footer/intro/outro are now called per-chunk, they should be careful to avoid performance-heavy operations (#​4543)
    • entryFileNames/chunkFileNames functions now longer have access to the rendered module information via modules, only to a list of included moduleIds (#​4543)
    • The path of a module is no longer prepended to the corresponding chunk when preserving modules (#​4565)
    • When preserving modules, the [name] placeholder (as well as the chunkInfo.name property when using a function) now includes the relative path of the chunk as well as optionally the file extension if the extension is not one of .js, .jsx, .mjs, .cjs, .ts, .tsx, .mts, or .cts (#​4565)
    • The [ext], [extName] and [assetExtName] placeholders are no longer supported when preserving modules (#​4565)
    • The perf option no longer collects timings for the asynchronous part of plugin hooks as the readings were wildly inaccurate and very misleading, and timings are adapted to the new hashing algorithm (#​4566)
    • Change the default value of makeAbsoluteExternalsRelative to "ifRelativeSource" so that absolute external imports will no longer become relative imports in the output, while relative external imports will still be renormalized (#​4567)
    • Change the default for output.generatedCode.reservedNamesAsProps to no longer quote properties like default by default (#​4568)
    • Change the default for preserveEntrySignatures to "exports-only" so that by default, empty facades for entry chunks are no longer created (#​4576)
    • Change the default for output.interop to "default" to better align with NodeJS interop (#​4611)
    • Change the default for output.esModule to "if-default-prop", which only adds __esModule when the default export would be a property (#​4611)
    • Change the default for output.systemNullSetters to true, which requires at least SystemJS 6.3.3 (#​4649)
    Plugin API Changes
    • Plugins that add/change/remove imports or exports in renderChunk should make sure to update ChunkInfo.imports/importedBindings/exports accordingly (#​4543)
    • The order of plugin hooks when generating output has changed (#​4543)
    • Chunk information passed to renderChunk now contains names with hash placeholders instead of final names, which will be replaced when used in the returned code or ChunkInfo.imports/importedBindings/exports (#​4543 and #​4631)
    • Hooks defined in output plugins will now run after hooks defined in input plugins (used to be the other way around) (#​3846)
    Features
    • Functions passed to output.banner/footer/intro/outro are now called per-chunk with some chunk information (#​4543)
    • Plugins can access the entire chunk graph via an additional parameter in renderChunk (#​4543)
    • Chunk hashes only depend on the actual content of the chunk and are otherwise stable against things like renamed/moved source files or changed module resolution order (#​4543)
    • The length of generated file hashes can be customized both globally and per-chunk (#​4543)
    • When preserving modules, the regular entryFileNames logic is used and the path is included in the [name] property. This finally gives full control over file names when preserving modules (#​4565)
    • output.entryFileNames now also supports the [hash] placeholder when preserving modules (#​4565)
    • The perf option will now collect (synchronous) timings for all plugin hooks, not just a small selection (#​4566)
    • All errors thrown by Rollup have name: RollupError now to make clearer that those are custom error types (#​4579)
    • Error properties that reference modules (such as id and ids) will now always contain the full ids. Only the error message will use shortened ids (#​4579)
    • Errors that are thrown in response to other errors (e.g. parse errors thrown by acorn) will now use the standardized cause property to reference the original error (#​4579)
    • If sourcemaps are enabled, files will contain the appropriate sourcemap comment in generateBundle and sourcemap files are available as regular assets (#​4605)
    • Returning a Promise from an event handler attached to a RollupWatcher instance will make Rollup wait for the Promise to resolve (#​4609)
    • There is a new value "compat" for output.interop that is similar to "auto" but uses duck-typing to determine if there is a default export (#​4611)
    • There is a new value "if-default-prop" for esModule that only adds an __esModule marker to the bundle if there is a default export that is rendered as a property (#​4611)
    • Rollup can statically resolve checks for foo[Symbol.toStringTag] to "Module" if foo is a namespace (#​4611)
    • There is a new CLI option --bundleConfigAsCjs which will force the configuration to be bundled to CommonJS (#​4621)
    • Import assertions for external imports that are present in the input files will be retained in ESM output (#​4646)
    • Rollup will warn when a module is imported with conflicting import assertions (#​4646)
    • Plugins can add, remove or change import assertions when resolving ids (#​4646)
    • The output.externalImportAssertions option allows to turn off emission of import assertions (#​4646)
    • Use output.dynamicImportInCjs to control if dynamic imports are emitted as import(…) or wrapped require(…) when generating commonjs output (#​4647)
    Bug Fixes
    • Chunk hashes take changes in renderChunk, e.g. minification, into account (#​4543)
    • Hashes of referenced assets are properly reflected in the chunk hash (#​4543)
    • No longer warn about implicitly using default export mode to not tempt users to switch to named export mode and break Node compatibility (#​4624)
    • Avoid performance issues when emitting thousands of assets (#​4644)
    Pull Requests

    Configuration

    📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

    🚦 Automerge: Enabled.

    Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

    🔕 Ignore: Close this PR and you won't be reminded about this update again.


    • [ ] If you want to rebase/retry this PR, check this box

    This PR has been generated by Mend Renovate. View repository job log here.

    opened by renovate[bot] 0
  • fix(deps): update dependency @rollup/plugin-node-resolve to v15

    fix(deps): update dependency @rollup/plugin-node-resolve to v15

    Mend Renovate

    This PR contains the following updates:

    | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | @rollup/plugin-node-resolve (source) | ^13.0.0 -> ^15.0.0 | age | adoption | passing | confidence |


    Release Notes

    rollup/plugins

    v15.0.1

    Compare Source

    2022-10-21

    Updates
    • chore: update rollup dependencies (3038271)

    v15.0.0

    Compare Source

    2022-10-10

    Breaking Changes

    v14.1.0

    Compare Source

    2022-09-12

    Features
    • feat: add new option, modulePaths (#​1104)

    v14.0.1

    Compare Source

    2022-09-08

    Bugfixes
    • fix: handle circular commonjs (#​1259)

    v14.0.0

    2022-09-06

    Breaking Changes
    • fix: preserve moduleSideEffects when re-resolving files (#​1245)

    Configuration

    📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

    🚦 Automerge: Enabled.

    Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

    🔕 Ignore: Close this PR and you won't be reminded about this update again.


    • [ ] If you want to rebase/retry this PR, check this box

    This PR has been generated by Mend Renovate. View repository job log here.

    opened by renovate[bot] 0
  • chore(deps): bump ejs and workbox-build in /docs-src

    chore(deps): bump ejs and workbox-build in /docs-src

    Bumps ejs and workbox-build. These dependencies needed to be updated together. Updates ejs from 2.7.4 to 3.1.8

    Release notes

    Sourced from ejs's releases.

    v3.1.8

    Version 3.1.8

    v3.1.7

    Version 3.1.7

    v3.1.6

    Version 3.1.6

    v3.1.5

    Version 3.1.5

    v3.0.2

    No release notes provided.

    Changelog

    Sourced from ejs's changelog.

    v3.0.1: 2019-11-23

    • Removed require.extensions (@​mde)
    • Removed legacy preprocessor include (@​mde)
    • Removed support for EOL Nodes 4 and 6 (@​mde)
    Commits

    Updates workbox-build from 6.1.5 to 6.5.4

    Release notes

    Sourced from workbox-build's releases.

    v6.5.4

    What's New 👀

    • Webpack plugin can be extended and subclasses can access the config property #3056
    • In workbox-precaching during a fall back to the network, if the request's mode is no-cors, integrity will not be used and the cache entry will not be repaired. #3099

    What's fixed 🐛

    • Integration tests fixes [#3102 ] & #3103
    • Removed documentation typos

    Misc 🤹

    • updated idb and selenium-assitant versions

    Thank yous 🌿

    Full Changelog: https://github.com/GoogleChrome/workbox/compare/v6.5.3...v6.5.4

    Workbox v6.5.2 includes a number of improvements to the TypeScript documentation and exported types, which should in turn improve the generated documentation.

    A full changelog is available at https://github.com/GoogleChrome/workbox/compare/v6.5.1...v6.5.2

    Workbox v6.5.1

    The Workbox v6.5.1 release includes a few changes related to our TypeScript interfaces and documentation.

    A full changelog is available at https://github.com/GoogleChrome/workbox/compare/v6.5.0...v6.5.1

    What's New

    • Additional inline @examples of using our build tools have been added to the TSDocs for workbox-build and workbox-webpack-plugin. #3038
    • The TypeScript type for the generateSW(), injectManifest(), and getManifest() methods in workbox-build has been updated from unknown to an appropriate actual type specific to each method. This should lead to better TSDoc generation and type inferences for developers. As this takes what was previously only a runtime check and moves it to a compile-time check, we believe that it should be functionally equivalent to prior releases, but if you run into problems, please let us know by opening an issue. #3037

    What's Fixed

    • We have re-added the default export to workbox-webpack-plugin. #3036

    Workbox v6.5.0

    The Workbox v6.5.0 release includes a number of smaller fixes, as well as a major rewrite of the workbox-webpack-plugin to TypeScript.

    A full changelog is available at https://github.com/GoogleChrome/workbox/compare/v6.4.2...v6.5.0

    What's New

    • workbox-webpack-plugin has been rewritten in TypeScript, and has public TypeScript definitions for its interfaces published as part of this release. We do not anticipate any changes in the underlying functionality as part of this rewrite. #2882
    • A forceSyncFallback parameter has been added to workbox-background-sync, without changing the default behavior. When forceSyncFallback is explicitly set to true, workbox-background-sync will always attempt to replay queued requests when the service worker starts up and never rely on the sync event listener. Most developers will not need this behavior, but it can be useful when targeting environments that have a non-functional Background Sync implementation, like some Electron runtimes. #3020

    What's Fixed

    • A more informative message is returned when an opaque response is erroneously used in workbox-streams. #3001
    • Removed a dynamic method call in workbox-background-sync which could lead to errors when run through with certain aggressive minifiers. #3012
    • A waitUntil() was added to the StaleWhileRevalidate strategy, ensuring that it works properly with navigation preload responses. #3015
    • Removed the dependency on the deprecated source-map-url package. #3031

    ... (truncated)

    Commits

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies javascript 
    opened by dependabot[bot] 1
  • chore(deps): bump terser from 5.6.1 to 5.16.1 in /docs-src

    chore(deps): bump terser from 5.6.1 to 5.16.1 in /docs-src

    Bumps terser from 5.6.1 to 5.16.1.

    Changelog

    Sourced from terser's changelog.

    v5.16.1

    • Properly handle references in destructurings (const { [reference]: val } = ...)
    • Allow parsing of .#privatefield in nested classes
    • Do not evaluate operations that return large strings if that would make the output code larger
    • Make collapse_vars handle block scope correctly
    • Internal improvements: Typos (#1311), more tests, small-scale refactoring

    v5.16.0

    • Disallow private fields in object bodies (#1011)
    • Parse #privatefield in object (#1279)
    • Compress #privatefield in object

    v5.15.1

    • Fixed missing parentheses around optional chains
    • Avoid bare let or const as the bodies of if statements (#1253)
    • Small internal fixes (#1271)
    • Avoid inlining a class twice and creating two equivalent but !== classes.

    v5.15.0

    • Basic support for ES2022 class static initializer blocks.
    • Add AudioWorkletNode constructor options to domprops list (#1230)
    • Make identity function inliner not inline id(...expandedArgs)

    v5.14.2

    • Security fix for RegExps that should not be evaluated (regexp DDOS)
    • Source maps improvements (#1211)
    • Performance improvements in long property access evaluation (#1213)

    v5.14.1

    • keep_numbers option added to TypeScript defs (#1208)
    • Fixed parsing of nested template strings (#1204)

    v5.14.0

    • Switched to @​jridgewell/source-map for sourcemap generation (#1190, #1181)
    • Fixed source maps with non-terminated segments (#1106)
    • Enabled typescript types to be imported from the package (#1194)
    • Extra DOM props have been added (#1191)
    • Delete the AST while generating code, as a means to save RAM

    v5.13.1

    • Removed self-assignments (varname=varname) (closes #1081)
    • Separated inlining code (for inlining things into references, or removing IIFEs)
    • Allow multiple identifiers with the same name in var destructuring (eg var { a, a } = x) (#1176)

    v5.13.0

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies javascript 
    opened by dependabot[bot] 1
  • chore(deps): bump express from 4.17.1 to 4.18.2 in /docs-src

    chore(deps): bump express from 4.17.1 to 4.18.2 in /docs-src

    Bumps express from 4.17.1 to 4.18.2.

    Release notes

    Sourced from express's releases.

    4.18.2

    4.18.1

    • Fix hanging on large stack of sync routes

    4.18.0

    ... (truncated)

    Changelog

    Sourced from express's changelog.

    4.18.2 / 2022-10-08

    4.18.1 / 2022-04-29

    • Fix hanging on large stack of sync routes

    4.18.0 / 2022-04-25

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies javascript 
    opened by dependabot[bot] 0
Releases(@casl/[email protected])
Owner
Sergii Stotskyi
Sergii Stotskyi
The authentication-server is a node app that handles user registration, authentication & authorization with JWT.

Authentication Server The authentication-server is a node app that handles user registration, authentication & authorization with JWT. Here is the REP

Oğuz Çolak 18 Jul 24, 2022
Oso is a batteries-included library for building authorization in your application.

Oso What is Oso? Oso is a batteries-included library for building authorization in your application. Oso gives you a mental model and an authorization

Oso 2.8k Jan 1, 2023
Tutorial Project : NodeJs API Multi Authorization Middleware with JWT

Tutorial How to Create API with multi route prefixs as well as Multi Authorization in NodeJs Installation npm install .env modify database informatio

Aung Kyaw Nyunt 10 Dec 10, 2022
Boilerplate next.js app demonstrating how to implement authorization mechanisms using Permify

Permify Next.js Authorization Demo App This demo app shows how to implement authorization mechanisms to your Next.js application using Permify Node SD

Permify 7 Apr 22, 2022
A small project with 3 accounts mapped to 3 resources using auth0 as an authentication service.

Auth0WithExpressJS Quickstart install dependencies for backend and start backend cd Auth0WithExpressJS\Back && npm start install dependencies for fron

RYMND 16 Aug 21, 2021
This package allows you to use Okta as your identity provider for use with Netlify's Role-based access control with JWT.

netlify-okta-auth This package allows you to use Okta as your identity provider for use with Netlify's Role-based access control with JWT. Who is this

Twilio Labs 8 Sep 17, 2022
EveryAuth is the easiest way for your app to access APIs like Slack, Salesforce, or Github.

EveryAuth EveryAuth is the easiest way for your app to access APIs like Slack, Salesforce, or Github. import everyauth from "@fusebit/everyauth-expres

Fusebit 13 Dec 12, 2022
A lite version for the my original app loki stream which allowed watching anime on your phone. Made using expo.

LokiStream Lite A lite version for the my original app loki stream. This app is faster, smaller and more optimized for your phone. It allows you to wa

Lavish Kumar 18 Dec 24, 2022
An OAuth2 Authorization Server,Based on Spring Authorization Server

?? id-server 一个基于Spring Authorization Server的开源的授权服务器。 概念 一些概念 OAuth2Client 客户端指的是OAuth2 Client,但又不单单是一个OAuth2 Client,连id server本身都是一个客户端。 role 角色必须依附

felord.cn 351 Dec 30, 2022
BookStore is a website that allows a given user to view a list of books, to add a new book and remove a given book.

Project Name : BookStore CMS BookStore is a website that allows a given user to view a list of books, to add a new book and remove a given book. In or

Chris Siku 10 Aug 22, 2022
An authorization library that supports access control models like ACL, RBAC, ABAC in modern JavaScript platforms

Casbin-Core ?? Looking for an open-source identity and access management solution like Okta, Auth0, Keycloak ? Learn more about: Casdoor News: still w

Casbin 6 Oct 20, 2022
An authorization library that supports access control models like ACL, RBAC, ABAC in Node.js and Browser

Node-Casbin News: still worry about how to write the correct node-casbin policy? Casbin online editor is coming to help! node-casbin is a powerful and

Casbin 2.1k Dec 27, 2022
Simple string diffing. Given two strings, striff will return an object noting which characters were added or removed, and at which indices

Simple string diffing. Given two strings, striff will return an object noting which characters were added or removed, and at which indices

Alex MacArthur 196 Jan 6, 2023
Incredible resources (with links) to help up-skill yourselves on various fields. Resources like programming, designing, engineering and much more and completely Open Source.

Shiryoku Incredible resources (with links) to help up-skill yourselves on various fields. Resources like programming, designing, engineering and much

Kunal Keshan 22 Dec 15, 2022
Manage GitHub resources like repositories, teams, members, integrations and workflows with the AWS CDK as Custom Resources in CloudFormation.

CDK Github Manage GitHub resources like repositories, teams, members, integrations and workflows with the AWS CDK as Custom Resources in CloudFormatio

Pepperize 8 Nov 25, 2022
The authentication-server is a node app that handles user registration, authentication & authorization with JWT.

Authentication Server The authentication-server is a node app that handles user registration, authentication & authorization with JWT. Here is the REP

Oğuz Çolak 18 Jul 24, 2022
Firebase Angular Skeleton - Quickly create an application with a fully functional authentication, authorization and user management system.

FAngS - Firebase Angular Skeleton FAngS lets you quickly create an application with a fully functional authentication, authorization and user manageme

Ryan Lefebvre 7 Sep 21, 2022
TypeScript isomorphic library to make work with Telegram Web Apps init data easier.

Telegram Web Apps Init Data TypeScript isomorphic library to make work with Telegram Web Apps init data easier. Feel free to use it in browser and Nod

Telegram Web Apps 2 Oct 7, 2022
Minecraft 1.8.9 mod which steals the access token and more things from the targetted user and sends to a backend server for processing. Disclaimer: For educational purposes only.

R.A.T Retrieve Access Token Check DxxxxY/TokenAuth to login into an MC account with a name, token and uuid combo. Features Grabs the username, uuid, t

null 45 Jan 9, 2023