@casl/mongoose Accessible Records plugin's doesn't work with classes as subject type
See original GitHub issueDescribe the bug
I’m using NestJS+CASL+mongoose (+ casl/mongoose). I have Record and User modules. In ability/ability.factory.ts
I define ability for mongoose’s models and all the checks work correctly both for the RecordModel and its instances from DB. I also have a simple endpoint in records/records.controller.ts
that retrieves all the Records from the DB that the logged user can access (In the actual project I get the logged user through JWT, but in this example I mock it). I get the logged user’s ability using AbilityFactory and pass it to records/records.service.ts
’s method find
. However, using .accessibleBy(ability)
method on the RecordModel throws ForbiddenError saying Cannot execute "read" on "Record"
despite ability’s permissions being sufficient (see “To reproduce” section). I have also included some console.logs and comments in records.controller
and records.service
.
To Reproduce
I’ve created a repository with a simple NestJS project with an example of the issue (I couldn’t, however, supply it with proper tests).
Clone it, install with npm ci
and start with npm run start:dev
.
A GET request to http://localhost:3000/records/
results in a 403 Forbidden, but is supposed to be a 200 with array of Records.
I’ve also created a test Mongo cluster with mock data and included the connection URL in the code.
Expected behavior
Since ability is able to Read Records, .accessibleBy()
must not throw ForbiddenError and return proper Query object.
CASL Version
@casl/ability
- v6.0.0
@casl/mongoose
- v7.0.0
Environment:
nodejs
: v16.16.0
typescript
: v4.7.4
Issue Analytics
- State:
- Created a year ago
- Reactions:2
- Comments:8 (5 by maintainers)
Top GitHub Comments
OK, found the cause. It appears that casl/mongoose doesnt work in case you use classes as subject types. It expects to work with strings only
fixed in
@casl/mongoose@7.1.0