Allow accessibleBy to throw ForbiddenError when the query denied
See original GitHub issueIs your feature request related to a problem? Please describe.
First thanks for this amazing library, it’s really helpful in many ways.
By using @casl/mongoose
and for example ExpressJS I’m trying to find a way to distinguish between
“document not found” and “forbidden” errors.
For example here:
app.get("/:todoId", async (req, res, next) => {
try {
const todo = await ToDo.findById(req.params.todoId).accessibleBy(req.ability);
// problem: if todo is null - was it not found or forbidden?
return res.json(todo);
} catch (err) {
return next(err);
}
});
In both cases when either the document is not found or the user is not allowed to access it
null
is returned in todo
variable.
Describe the solution you’d like
By giving the option (maybe by adding an argument to .accessibleBy
or even better: plugin configuration) to throw ForbiddenError
automatically in case of authorization failure we can return 403 status to any caught ForbiddenError
thrown by the endpoints.
For example:
function errorHandler (err, req, res, next) {
...
if (err.name === 'ForbiddenError') {
res.status(403)
}
...
res.render('error', { error: err })
}
Describe alternatives you’ve considered (optional)
Using mongoose’s .orFail() method, but instead integrating this ability in @casl/mongoose
can really ease the usage in most of the cases instead of patching every endpoint.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:1
- Comments:13 (8 by maintainers)
Top GitHub Comments
🎉 This issue has been resolved in version 4.0.0 🎉
The release is available on:
Your semantic-release bot 📦🚀
will be released in the next version