CASL is a library for managing permissions across applications. It allows defining permissions declaratively using rules. Rules can be defined for different user roles, like "admin" or "writer", and permissions are validated both in memory and for database queries. CASL aims to provide a flexible yet simple way to manage permissions as requirements evolve. It supports features like tree shaking, instance and attribute validation, and database queries.

1. CASL
Isomorphic Permission Management

2. Who am I and what I do here?
Experience:
● working from dark times of IE6
● PHP, Ruby, Nodejs, ~Java and .NET Core
Hobbies:
● chess, books
● articles , open source contribution

3. CASL. Isomorphic permission management

4. What? CASL?

5. Why CASL?
ACL

6. Why CASL?
<div v-if="user.role === 'admin' || post.authorId ===
user.id">
<button @click="publish">Publish</button>
</div>

7. Why CASL?
<div v-if="user.role === 'admin' || user.role ===
'moderator' || post.authorId === user.id">
<button @click="publish">Publish</button>
</div>

8. Why CASL?

9. Why CASL?
<div v-if="can('publish')">
<button @click="publish">Publish</button>
</div>

10. Why CASL?
<div v-if="can('publish', 'Post')">
<button @click="publish">Publish</button>
</div>

11. Story telling

12. How to CASL
Evolve ACL as requirements evolve1
What’s special in CASL?
Declarative configuration2
In-memory validation and database queries3
MongoDB-like conditions4
Serializable rules5

13. How to CASLHow to CASLHow to CASL

14. How to CASLPermissions: admin
can manage all

15. How to CASLPermissions: writer
can create Article
can read Article
where published = true
can read, update Article
where author = me
can delete, publish Article
where author = me and published = false
can read, update User
where id = me

16. How to CASLPermissions: unauthenticated
can read Article
where published = true

17. How to CASLCASL: admin
can('manage', 'all')

18. How to CASLCASL: admin
import { AbilityBuilder } from '@casl/ability'
const { can } = AbilityBuilder.extract()
can('manage', 'all')

19. How to CASLCASL: writer
can('create', 'Article')
can('read', 'Article', {
published: true
})
can(['read', 'update'], 'Article', {
authorId: user.id
})
can(['delete', 'publish'], 'Article', {
authorId: user.id,
published: false
})
can(['read', 'update'], 'User', {
id: user.id
})

20. How to CASLCASL: unauthenticated
can('read', 'Article', { published: true })

21. How to CASLCASL validation: seeds
const myUser = new User({ id: 1, email: 'writer@casl.io' })
const myDraft = new Article({ authorId: myUser.id, published: false })
const myArticle = new Article({ authorId: myUser.id, published: true })

22. How to CASLCASL validation: seeds
const anotherUser = new User({ email: 'another.writer@casl.io' })
const anotherDraft = new Article({ ... })
const anotherArticle = new Article({ ... })

23. How to CASLCASL validation: admin
import { Ability } from '@casl/ability'
import { rulesForAdmin } from './rules'
const ability = new Ability(rulesForAdmin())
ability.can('read', 'Article') // true
ability.can('read', 'User') // true
ability.can('read', myArticle) // true

24. How to CASLCASL validation: writer
const ability = new Ability(rulesForWriter(myUser))
ability.can('create', 'Article') // true
ability.can('read', anotherDraft) // false
ability.can('read', anotherArticle) // true
ability.can('read', myDraft) // true
ability.can('read', myArticle) // true

25. How to CASLCASL validation: unauthenticated
const ability = new Ability(rulesForAnonymous())
ability.can('read', 'Article') // true
ability.can('read', anotherArticle) // true
ability.can('read', anotherUser) // false
ability.can('read', anotherDraft) // false
ability.can('create', 'Article') // false

27. How to CASLCASL Demo
Vue app Express API

28. How to CASLCASL Alternatives

29. Downloads
/ month
Github
stars
Size
(gzip)
Last updated Tree
shaking
Instance
validation
Attribute
validation
DB
Queries
@casl/ability 105k 1.6k 3.9K 2 weeks ago Yes Yes Yes Yes
acl 31k 2.3k 56.6K 2 years ago No No No No
accesscontrol 44k 965 7.7K 10 months ago Maybe No Yes No
connect-roles 20k 704 5.2K 9 months ago No No No No
casbin 16k 670 34.6K 2 months ago Maybe Yes Yes No
cancan 1.7k 578 985 1 year ago No Yes No No
How to CASLCASL Alternatives

30. THERE IS NO MAGIC HERE

31. How to CASLNo Magic Behind!
SQL joins1
Synchronous2
Specification pattern3

32. How to CASLWhat else?
NO
ROLES
IN MY
ACL

33. How to CASLWhat else? Feature flags

34. How to CASLWhat else? Hardware capabilities

35. How to CASLWhat else? Business logic
async function rulesForUser(user) {
const { rules, can, cannot } = AbilityBuilder.extract()
can('read', 'Post')
if (user.hasActiveSubscription()) {
can('update', 'Post', { userId: user.id })
} else {
cannot('update', 'Post')
.because('Your subscription has been expired')
}
return rules
})

36. CASL
Isomorphic Permission Management
Sergii Stotskyi
sergiy.stotskiy@gmail.com
?