Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Allow accessibleBy to throw ForbiddenError when the query denied

See original GitHub issue

Is your feature request related to a problem? Please describe.

First thanks for this amazing library, it’s really helpful in many ways.

By using @casl/mongoose and for example ExpressJS I’m trying to find a way to distinguish between
“document not found” and “forbidden” errors.

For example here:

app.get("/:todoId", async (req, res, next) => {
  try {
    const todo = await ToDo.findById(req.params.todoId).accessibleBy(req.ability);
    // problem: if todo is null - was it not found or forbidden?
    return res.json(todo);
  } catch (err) {  
    return next(err);
  }
});

In both cases when either the document is not found or the user is not allowed to access it null is returned in todo variable.

Describe the solution you’d like

By giving the option (maybe by adding an argument to .accessibleBy or even better: plugin configuration) to throw ForbiddenError automatically in case of authorization failure we can return 403 status to any caught ForbiddenError thrown by the endpoints.

For example:

function errorHandler (err, req, res, next) {
  ...
  if (err.name === 'ForbiddenError') {
     res.status(403)
  } 
  ...
  res.render('error', { error: err })
}

Describe alternatives you’ve considered (optional)

Using mongoose’s .orFail() method, but instead integrating this ability in @casl/mongoose can really ease the usage in most of the cases instead of patching every endpoint.