Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

JS Fest 2019/Autumn. Сергій Стоцький. CASL. Isomorphic Permission Management

13 views

Published on

CASL - це бібліотека, що допомогає інтегрувати прості права доступу в зрозумілій формі та розширяти їх з часом. Оскільки CASL написаний на чистому ES6, то його можна використовувати з довільною ORM, HTTP або UI framework-ом. А допоміжні пакети дозволять інтегруватись без додаткових зусиль.

Published in: Education
  • Be the first to comment

  • Be the first to like this

JS Fest 2019/Autumn. Сергій Стоцький. CASL. Isomorphic Permission Management

  1. 1. CASL Isomorphic Permission Management
  2. 2. Who am I and what I do here? Experience: ● working from dark times of IE6 ● PHP, Ruby, Nodejs, ~Java and .NET Core Hobbies: ● chess, books ● articles , open source contribution
  3. 3. CASL. Isomorphic permission management
  4. 4. What? CASL?
  5. 5. Why CASL? ACL
  6. 6. Why CASL? <div v-if="user.role === 'admin' || post.authorId === user.id"> <button @click="publish">Publish</button> </div>
  7. 7. Why CASL? <div v-if="user.role === 'admin' || user.role === 'moderator' || post.authorId === user.id"> <button @click="publish">Publish</button> </div>
  8. 8. Why CASL?
  9. 9. Why CASL? <div v-if="can('publish')"> <button @click="publish">Publish</button> </div>
  10. 10. Why CASL? <div v-if="can('publish', 'Post')"> <button @click="publish">Publish</button> </div>
  11. 11. Story telling
  12. 12. How to CASL Evolve ACL as requirements evolve1 What’s special in CASL? Declarative configuration2 In-memory validation and database queries3 MongoDB-like conditions4 Serializable rules5
  13. 13. How to CASLHow to CASLHow to CASL
  14. 14. How to CASLPermissions: admin can manage all
  15. 15. How to CASLPermissions: writer can create Article can read Article where published = true can read, update Article where author = me can delete, publish Article where author = me and published = false can read, update User where id = me
  16. 16. How to CASLPermissions: unauthenticated can read Article where published = true
  17. 17. How to CASLCASL: admin can('manage', 'all')
  18. 18. How to CASLCASL: admin import { AbilityBuilder } from '@casl/ability' const { can } = AbilityBuilder.extract() can('manage', 'all')
  19. 19. How to CASLCASL: writer can('create', 'Article') can('read', 'Article', { published: true }) can(['read', 'update'], 'Article', { authorId: user.id }) can(['delete', 'publish'], 'Article', { authorId: user.id, published: false }) can(['read', 'update'], 'User', { id: user.id })
  20. 20. How to CASLCASL: unauthenticated can('read', 'Article', { published: true })
  21. 21. How to CASLCASL validation: seeds const myUser = new User({ id: 1, email: 'writer@casl.io' }) const myDraft = new Article({ authorId: myUser.id, published: false }) const myArticle = new Article({ authorId: myUser.id, published: true })
  22. 22. How to CASLCASL validation: seeds const anotherUser = new User({ email: 'another.writer@casl.io' }) const anotherDraft = new Article({ ... }) const anotherArticle = new Article({ ... })
  23. 23. How to CASLCASL validation: admin import { Ability } from '@casl/ability' import { rulesForAdmin } from './rules' const ability = new Ability(rulesForAdmin()) ability.can('read', 'Article') // true ability.can('read', 'User') // true ability.can('read', myArticle) // true
  24. 24. How to CASLCASL validation: writer const ability = new Ability(rulesForWriter(myUser)) ability.can('create', 'Article') // true ability.can('read', anotherDraft) // false ability.can('read', anotherArticle) // true ability.can('read', myDraft) // true ability.can('read', myArticle) // true
  25. 25. How to CASLCASL validation: unauthenticated const ability = new Ability(rulesForAnonymous()) ability.can('read', 'Article') // true ability.can('read', anotherArticle) // true ability.can('read', anotherUser) // false ability.can('read', anotherDraft) // false ability.can('create', 'Article') // false
  26. 26. How to CASLCASL Demo Vue app Express API
  27. 27. How to CASLCASL Alternatives
  28. 28. Downloads / month Github stars Size (gzip) Last updated Tree shaking Instance validation Attribute validation DB Queries @casl/ability 105k 1.6k 3.9K 2 weeks ago Yes Yes Yes Yes acl 31k 2.3k 56.6K 2 years ago No No No No accesscontrol 44k 965 7.7K 10 months ago Maybe No Yes No connect-roles 20k 704 5.2K 9 months ago No No No No casbin 16k 670 34.6K 2 months ago Maybe Yes Yes No cancan 1.7k 578 985 1 year ago No Yes No No How to CASLCASL Alternatives
  29. 29. THERE IS NO MAGIC HERE
  30. 30. How to CASLNo Magic Behind! SQL joins1 Synchronous2 Specification pattern3
  31. 31. How to CASLWhat else? NO ROLES IN MY ACL
  32. 32. How to CASLWhat else? Feature flags
  33. 33. How to CASLWhat else? Hardware capabilities
  34. 34. How to CASLWhat else? Business logic async function rulesForUser(user) { const { rules, can, cannot } = AbilityBuilder.extract() can('read', 'Post') if (user.hasActiveSubscription()) { can('update', 'Post', { userId: user.id }) } else { cannot('update', 'Post') .because('Your subscription has been expired') } return rules })
  35. 35. CASL Isomorphic Permission Management Sergii Stotskyi sergiy.stotskiy@gmail.com ?

×