SlideShare a Scribd company logo
CASL
Isomorphic Permission Management
Who am I and what I do here?
Experience:
● working from dark times of IE6
● PHP, Ruby, Nodejs, ~Java and .NET Core
Hobbies:
● chess, books
● articles , open source contribution
CASL. Isomorphic permission management
What? CASL?
Why CASL?
ACL
Why CASL?
<div v-if="user.role === 'admin' || post.authorId ===
user.id">
<button @click="publish">Publish</button>
</div>
Why CASL?
<div v-if="user.role === 'admin' || user.role ===
'moderator' || post.authorId === user.id">
<button @click="publish">Publish</button>
</div>
Why CASL?
Why CASL?
<div v-if="can('publish')">
<button @click="publish">Publish</button>
</div>
Why CASL?
<div v-if="can('publish', 'Post')">
<button @click="publish">Publish</button>
</div>
Story telling
How to CASL
Evolve ACL as requirements evolve1
What’s special in CASL?
Declarative configuration2
In-memory validation and database queries3
MongoDB-like conditions4
Serializable rules5
How to CASLHow to CASLHow to CASL
How to CASLPermissions: admin
can manage all
How to CASLPermissions: writer
can create Article
can read Article
where published = true
can read, update Article
where author = me
can delete, publish Article
where author = me and published = false
can read, update User
where id = me
How to CASLPermissions: unauthenticated
can read Article
where published = true
How to CASLCASL: admin
can('manage', 'all')
How to CASLCASL: admin
import { AbilityBuilder } from '@casl/ability'
const { can } = AbilityBuilder.extract()
can('manage', 'all')
How to CASLCASL: writer
can('create', 'Article')
can('read', 'Article', {
published: true
})
can(['read', 'update'], 'Article', {
authorId: user.id
})
can(['delete', 'publish'], 'Article', {
authorId: user.id,
published: false
})
can(['read', 'update'], 'User', {
id: user.id
})
How to CASLCASL: unauthenticated
can('read', 'Article', { published: true })
How to CASLCASL validation: seeds
const myUser = new User({ id: 1, email: 'writer@casl.io' })
const myDraft = new Article({ authorId: myUser.id, published: false })
const myArticle = new Article({ authorId: myUser.id, published: true })
How to CASLCASL validation: seeds
const anotherUser = new User({ email: 'another.writer@casl.io' })
const anotherDraft = new Article({ ... })
const anotherArticle = new Article({ ... })
How to CASLCASL validation: admin
import { Ability } from '@casl/ability'
import { rulesForAdmin } from './rules'
const ability = new Ability(rulesForAdmin())
ability.can('read', 'Article') // true
ability.can('read', 'User') // true
ability.can('read', myArticle) // true
How to CASLCASL validation: writer
const ability = new Ability(rulesForWriter(myUser))
ability.can('create', 'Article') // true
ability.can('read', anotherDraft) // false
ability.can('read', anotherArticle) // true
ability.can('read', myDraft) // true
ability.can('read', myArticle) // true
How to CASLCASL validation: unauthenticated
const ability = new Ability(rulesForAnonymous())
ability.can('read', 'Article') // true
ability.can('read', anotherArticle) // true
ability.can('read', anotherUser) // false
ability.can('read', anotherDraft) // false
ability.can('create', 'Article') // false
How to CASLCASL Demo
Vue app Express API
How to CASLCASL Alternatives
Downloads
/ month
Github
stars
Size
(gzip)
Last updated Tree
shaking
Instance
validation
Attribute
validation
DB
Queries
@casl/ability 105k 1.6k 3.9K 2 weeks ago Yes Yes Yes Yes
acl 31k 2.3k 56.6K 2 years ago No No No No
accesscontrol 44k 965 7.7K 10 months ago Maybe No Yes No
connect-roles 20k 704 5.2K 9 months ago No No No No
casbin 16k 670 34.6K 2 months ago Maybe Yes Yes No
cancan 1.7k 578 985 1 year ago No Yes No No
How to CASLCASL Alternatives
THERE IS NO MAGIC HERE
How to CASLNo Magic Behind!
SQL joins1
Synchronous2
Specification pattern3
How to CASLWhat else?
NO
ROLES
IN MY
ACL
How to CASLWhat else? Feature flags
How to CASLWhat else? Hardware capabilities
How to CASLWhat else? Business logic
async function rulesForUser(user) {
const { rules, can, cannot } = AbilityBuilder.extract()
can('read', 'Post')
if (user.hasActiveSubscription()) {
can('update', 'Post', { userId: user.id })
} else {
cannot('update', 'Post')
.because('Your subscription has been expired')
}
return rules
})
CASL
Isomorphic Permission Management
Sergii Stotskyi
sergiy.stotskiy@gmail.com
?

More Related Content

More from JSFestUA

JS Fest 2019/Autumn. Дмитрий Жарков. Blockchainize your SPA or Integrate Java...
JS Fest 2019/Autumn. Дмитрий Жарков. Blockchainize your SPA or Integrate Java...JS Fest 2019/Autumn. Дмитрий Жарков. Blockchainize your SPA or Integrate Java...
JS Fest 2019/Autumn. Дмитрий Жарков. Blockchainize your SPA or Integrate Java...
JSFestUA
 
JS Fest 2019/Autumn. Maciej Treder. Angular Schematics - Develop for developers
JS Fest 2019/Autumn. Maciej Treder. Angular Schematics - Develop for developersJS Fest 2019/Autumn. Maciej Treder. Angular Schematics - Develop for developers
JS Fest 2019/Autumn. Maciej Treder. Angular Schematics - Develop for developers
JSFestUA
 
JS Fest 2019/Autumn. Kyle Boss. A Tinder Love Story: Create a Wordpress Blog ...
JS Fest 2019/Autumn. Kyle Boss. A Tinder Love Story: Create a Wordpress Blog ...JS Fest 2019/Autumn. Kyle Boss. A Tinder Love Story: Create a Wordpress Blog ...
JS Fest 2019/Autumn. Kyle Boss. A Tinder Love Story: Create a Wordpress Blog ...
JSFestUA
 
JS Fest 2019/Autumn. Андрей Старовойт. Зачем нужен тип "true" в TypeScript?
JS Fest 2019/Autumn. Андрей Старовойт. Зачем нужен тип "true" в TypeScript?JS Fest 2019/Autumn. Андрей Старовойт. Зачем нужен тип "true" в TypeScript?
JS Fest 2019/Autumn. Андрей Старовойт. Зачем нужен тип "true" в TypeScript?
JSFestUA
 
JS Fest 2019/Autumn. Eyal Eizenberg. Tipping the Scale
JS Fest 2019/Autumn. Eyal Eizenberg. Tipping the ScaleJS Fest 2019/Autumn. Eyal Eizenberg. Tipping the Scale
JS Fest 2019/Autumn. Eyal Eizenberg. Tipping the Scale
JSFestUA
 
JS Fest 2019/Autumn. Sota Ohara. Сreate own server less CMS from scratch
JS Fest 2019/Autumn. Sota Ohara. Сreate own server less CMS from scratchJS Fest 2019/Autumn. Sota Ohara. Сreate own server less CMS from scratch
JS Fest 2019/Autumn. Sota Ohara. Сreate own server less CMS from scratch
JSFestUA
 
JS Fest 2019/Autumn. Джордж Евтушенко. Как стать программистом, которого хотят
JS Fest 2019/Autumn. Джордж Евтушенко. Как стать программистом, которого хотятJS Fest 2019/Autumn. Джордж Евтушенко. Как стать программистом, которого хотят
JS Fest 2019/Autumn. Джордж Евтушенко. Как стать программистом, которого хотят
JSFestUA
 
JS Fest 2019/Autumn. Алексей Орленко. Node.js N-API for Rust
JS Fest 2019/Autumn. Алексей Орленко. Node.js N-API for RustJS Fest 2019/Autumn. Алексей Орленко. Node.js N-API for Rust
JS Fest 2019/Autumn. Алексей Орленко. Node.js N-API for Rust
JSFestUA
 
JS Fest 2019/Autumn. Daniel Ostrovsky. Falling in love with decorators ES6/Ty...
JS Fest 2019/Autumn. Daniel Ostrovsky. Falling in love with decorators ES6/Ty...JS Fest 2019/Autumn. Daniel Ostrovsky. Falling in love with decorators ES6/Ty...
JS Fest 2019/Autumn. Daniel Ostrovsky. Falling in love with decorators ES6/Ty...
JSFestUA
 
JS Fest 2019/Autumn. Андрей Андрийко. Гексагональна архітектура в Nodejs проекті
JS Fest 2019/Autumn. Андрей Андрийко. Гексагональна архітектура в Nodejs проектіJS Fest 2019/Autumn. Андрей Андрийко. Гексагональна архітектура в Nodejs проекті
JS Fest 2019/Autumn. Андрей Андрийко. Гексагональна архітектура в Nodejs проекті
JSFestUA
 
JS Fest 2019/Autumn. Борис Могила. Svelte. Почему нам не нужно run-time ядро
JS Fest 2019/Autumn. Борис Могила. Svelte. Почему нам не нужно run-time ядроJS Fest 2019/Autumn. Борис Могила. Svelte. Почему нам не нужно run-time ядро
JS Fest 2019/Autumn. Борис Могила. Svelte. Почему нам не нужно run-time ядро
JSFestUA
 
JS Fest 2019/Autumn. Виталий Кухар. Сравнение кластеризации HTTP, TCP и UDP н...
JS Fest 2019/Autumn. Виталий Кухар. Сравнение кластеризации HTTP, TCP и UDP н...JS Fest 2019/Autumn. Виталий Кухар. Сравнение кластеризации HTTP, TCP и UDP н...
JS Fest 2019/Autumn. Виталий Кухар. Сравнение кластеризации HTTP, TCP и UDP н...
JSFestUA
 
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложениеJS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JSFestUA
 
JS Fest 2019. Mauricio Palma. You can’t read this sentence - A11y automation
JS Fest 2019. Mauricio Palma. You can’t read this sentence - A11y automationJS Fest 2019. Mauricio Palma. You can’t read this sentence - A11y automation
JS Fest 2019. Mauricio Palma. You can’t read this sentence - A11y automation
JSFestUA
 
JS Fest 2019. Владимир Агафонкин. Быстро по умолчанию: алгоритмическое мышлен...
JS Fest 2019. Владимир Агафонкин. Быстро по умолчанию: алгоритмическое мышлен...JS Fest 2019. Владимир Агафонкин. Быстро по умолчанию: алгоритмическое мышлен...
JS Fest 2019. Владимир Агафонкин. Быстро по умолчанию: алгоритмическое мышлен...
JSFestUA
 
JS Fest 2019. Артур Торосян. V8 - взгляд на асинхронность и работу с ОС изнутри
JS Fest 2019. Артур Торосян. V8 - взгляд на асинхронность и работу с ОС изнутриJS Fest 2019. Артур Торосян. V8 - взгляд на асинхронность и работу с ОС изнутри
JS Fest 2019. Артур Торосян. V8 - взгляд на асинхронность и работу с ОС изнутри
JSFestUA
 
JS Fest 2019. Anjana Vakil. Serverless Bebop
JS Fest 2019. Anjana Vakil. Serverless BebopJS Fest 2019. Anjana Vakil. Serverless Bebop
JS Fest 2019. Anjana Vakil. Serverless Bebop
JSFestUA
 
JS Fest 2019. Andrew Betts. Headers for hackers
JS Fest 2019. Andrew Betts. Headers for hackersJS Fest 2019. Andrew Betts. Headers for hackers
JS Fest 2019. Andrew Betts. Headers for hackers
JSFestUA
 
JS Fest 2019. Sebastian Golasch. The Universal Serial Web
JS Fest 2019. Sebastian Golasch. The Universal Serial WebJS Fest 2019. Sebastian Golasch. The Universal Serial Web
JS Fest 2019. Sebastian Golasch. The Universal Serial Web
JSFestUA
 
JS Fest 2019. Игорь Березин и Николай Крещенко. Эволюция архитектуры многогра...
JS Fest 2019. Игорь Березин и Николай Крещенко. Эволюция архитектуры многогра...JS Fest 2019. Игорь Березин и Николай Крещенко. Эволюция архитектуры многогра...
JS Fest 2019. Игорь Березин и Николай Крещенко. Эволюция архитектуры многогра...
JSFestUA
 

More from JSFestUA (20)

JS Fest 2019/Autumn. Дмитрий Жарков. Blockchainize your SPA or Integrate Java...
JS Fest 2019/Autumn. Дмитрий Жарков. Blockchainize your SPA or Integrate Java...JS Fest 2019/Autumn. Дмитрий Жарков. Blockchainize your SPA or Integrate Java...
JS Fest 2019/Autumn. Дмитрий Жарков. Blockchainize your SPA or Integrate Java...
 
JS Fest 2019/Autumn. Maciej Treder. Angular Schematics - Develop for developers
JS Fest 2019/Autumn. Maciej Treder. Angular Schematics - Develop for developersJS Fest 2019/Autumn. Maciej Treder. Angular Schematics - Develop for developers
JS Fest 2019/Autumn. Maciej Treder. Angular Schematics - Develop for developers
 
JS Fest 2019/Autumn. Kyle Boss. A Tinder Love Story: Create a Wordpress Blog ...
JS Fest 2019/Autumn. Kyle Boss. A Tinder Love Story: Create a Wordpress Blog ...JS Fest 2019/Autumn. Kyle Boss. A Tinder Love Story: Create a Wordpress Blog ...
JS Fest 2019/Autumn. Kyle Boss. A Tinder Love Story: Create a Wordpress Blog ...
 
JS Fest 2019/Autumn. Андрей Старовойт. Зачем нужен тип "true" в TypeScript?
JS Fest 2019/Autumn. Андрей Старовойт. Зачем нужен тип "true" в TypeScript?JS Fest 2019/Autumn. Андрей Старовойт. Зачем нужен тип "true" в TypeScript?
JS Fest 2019/Autumn. Андрей Старовойт. Зачем нужен тип "true" в TypeScript?
 
JS Fest 2019/Autumn. Eyal Eizenberg. Tipping the Scale
JS Fest 2019/Autumn. Eyal Eizenberg. Tipping the ScaleJS Fest 2019/Autumn. Eyal Eizenberg. Tipping the Scale
JS Fest 2019/Autumn. Eyal Eizenberg. Tipping the Scale
 
JS Fest 2019/Autumn. Sota Ohara. Сreate own server less CMS from scratch
JS Fest 2019/Autumn. Sota Ohara. Сreate own server less CMS from scratchJS Fest 2019/Autumn. Sota Ohara. Сreate own server less CMS from scratch
JS Fest 2019/Autumn. Sota Ohara. Сreate own server less CMS from scratch
 
JS Fest 2019/Autumn. Джордж Евтушенко. Как стать программистом, которого хотят
JS Fest 2019/Autumn. Джордж Евтушенко. Как стать программистом, которого хотятJS Fest 2019/Autumn. Джордж Евтушенко. Как стать программистом, которого хотят
JS Fest 2019/Autumn. Джордж Евтушенко. Как стать программистом, которого хотят
 
JS Fest 2019/Autumn. Алексей Орленко. Node.js N-API for Rust
JS Fest 2019/Autumn. Алексей Орленко. Node.js N-API for RustJS Fest 2019/Autumn. Алексей Орленко. Node.js N-API for Rust
JS Fest 2019/Autumn. Алексей Орленко. Node.js N-API for Rust
 
JS Fest 2019/Autumn. Daniel Ostrovsky. Falling in love with decorators ES6/Ty...
JS Fest 2019/Autumn. Daniel Ostrovsky. Falling in love with decorators ES6/Ty...JS Fest 2019/Autumn. Daniel Ostrovsky. Falling in love with decorators ES6/Ty...
JS Fest 2019/Autumn. Daniel Ostrovsky. Falling in love with decorators ES6/Ty...
 
JS Fest 2019/Autumn. Андрей Андрийко. Гексагональна архітектура в Nodejs проекті
JS Fest 2019/Autumn. Андрей Андрийко. Гексагональна архітектура в Nodejs проектіJS Fest 2019/Autumn. Андрей Андрийко. Гексагональна архітектура в Nodejs проекті
JS Fest 2019/Autumn. Андрей Андрийко. Гексагональна архітектура в Nodejs проекті
 
JS Fest 2019/Autumn. Борис Могила. Svelte. Почему нам не нужно run-time ядро
JS Fest 2019/Autumn. Борис Могила. Svelte. Почему нам не нужно run-time ядроJS Fest 2019/Autumn. Борис Могила. Svelte. Почему нам не нужно run-time ядро
JS Fest 2019/Autumn. Борис Могила. Svelte. Почему нам не нужно run-time ядро
 
JS Fest 2019/Autumn. Виталий Кухар. Сравнение кластеризации HTTP, TCP и UDP н...
JS Fest 2019/Autumn. Виталий Кухар. Сравнение кластеризации HTTP, TCP и UDP н...JS Fest 2019/Autumn. Виталий Кухар. Сравнение кластеризации HTTP, TCP и UDP н...
JS Fest 2019/Autumn. Виталий Кухар. Сравнение кластеризации HTTP, TCP и UDP н...
 
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложениеJS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
 
JS Fest 2019. Mauricio Palma. You can’t read this sentence - A11y automation
JS Fest 2019. Mauricio Palma. You can’t read this sentence - A11y automationJS Fest 2019. Mauricio Palma. You can’t read this sentence - A11y automation
JS Fest 2019. Mauricio Palma. You can’t read this sentence - A11y automation
 
JS Fest 2019. Владимир Агафонкин. Быстро по умолчанию: алгоритмическое мышлен...
JS Fest 2019. Владимир Агафонкин. Быстро по умолчанию: алгоритмическое мышлен...JS Fest 2019. Владимир Агафонкин. Быстро по умолчанию: алгоритмическое мышлен...
JS Fest 2019. Владимир Агафонкин. Быстро по умолчанию: алгоритмическое мышлен...
 
JS Fest 2019. Артур Торосян. V8 - взгляд на асинхронность и работу с ОС изнутри
JS Fest 2019. Артур Торосян. V8 - взгляд на асинхронность и работу с ОС изнутриJS Fest 2019. Артур Торосян. V8 - взгляд на асинхронность и работу с ОС изнутри
JS Fest 2019. Артур Торосян. V8 - взгляд на асинхронность и работу с ОС изнутри
 
JS Fest 2019. Anjana Vakil. Serverless Bebop
JS Fest 2019. Anjana Vakil. Serverless BebopJS Fest 2019. Anjana Vakil. Serverless Bebop
JS Fest 2019. Anjana Vakil. Serverless Bebop
 
JS Fest 2019. Andrew Betts. Headers for hackers
JS Fest 2019. Andrew Betts. Headers for hackersJS Fest 2019. Andrew Betts. Headers for hackers
JS Fest 2019. Andrew Betts. Headers for hackers
 
JS Fest 2019. Sebastian Golasch. The Universal Serial Web
JS Fest 2019. Sebastian Golasch. The Universal Serial WebJS Fest 2019. Sebastian Golasch. The Universal Serial Web
JS Fest 2019. Sebastian Golasch. The Universal Serial Web
 
JS Fest 2019. Игорь Березин и Николай Крещенко. Эволюция архитектуры многогра...
JS Fest 2019. Игорь Березин и Николай Крещенко. Эволюция архитектуры многогра...JS Fest 2019. Игорь Березин и Николай Крещенко. Эволюция архитектуры многогра...
JS Fest 2019. Игорь Березин и Николай Крещенко. Эволюция архитектуры многогра...
 

Recently uploaded

Standardized tool for Intelligence test.
Standardized tool for Intelligence test.Standardized tool for Intelligence test.
Standardized tool for Intelligence test.
deepaannamalai16
 
A Free 200-Page eBook ~ Brain and Mind Exercise.pptx
A Free 200-Page eBook ~ Brain and Mind Exercise.pptxA Free 200-Page eBook ~ Brain and Mind Exercise.pptx
A Free 200-Page eBook ~ Brain and Mind Exercise.pptx
OH TEIK BIN
 
spot a liar (Haiqa 146).pptx Technical writhing and presentation skills
spot a liar (Haiqa 146).pptx Technical writhing and presentation skillsspot a liar (Haiqa 146).pptx Technical writhing and presentation skills
spot a liar (Haiqa 146).pptx Technical writhing and presentation skills
haiqairshad
 
Oliver Asks for More by Charles Dickens (9)
Oliver Asks for More by Charles Dickens (9)Oliver Asks for More by Charles Dickens (9)
Oliver Asks for More by Charles Dickens (9)
nitinpv4ai
 
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdfREASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
giancarloi8888
 
Juneteenth Freedom Day 2024 David Douglas School District
Juneteenth Freedom Day 2024 David Douglas School DistrictJuneteenth Freedom Day 2024 David Douglas School District
Juneteenth Freedom Day 2024 David Douglas School District
David Douglas School District
 
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
EduSkills OECD
 
CapTechTalks Webinar Slides June 2024 Donovan Wright.pptx
CapTechTalks Webinar Slides June 2024 Donovan Wright.pptxCapTechTalks Webinar Slides June 2024 Donovan Wright.pptx
CapTechTalks Webinar Slides June 2024 Donovan Wright.pptx
CapitolTechU
 
SWOT analysis in the project Keeping the Memory @live.pptx
SWOT analysis in the project Keeping the Memory @live.pptxSWOT analysis in the project Keeping the Memory @live.pptx
SWOT analysis in the project Keeping the Memory @live.pptx
zuzanka
 
Accounting for Restricted Grants When and How To Record Properly
Accounting for Restricted Grants  When and How To Record ProperlyAccounting for Restricted Grants  When and How To Record Properly
Accounting for Restricted Grants When and How To Record Properly
TechSoup
 
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptxBIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
RidwanHassanYusuf
 
The basics of sentences session 7pptx.pptx
The basics of sentences session 7pptx.pptxThe basics of sentences session 7pptx.pptx
The basics of sentences session 7pptx.pptx
heathfieldcps1
 
Data Structure using C by Dr. K Adisesha .ppsx
Data Structure using C by Dr. K Adisesha .ppsxData Structure using C by Dr. K Adisesha .ppsx
Data Structure using C by Dr. K Adisesha .ppsx
Prof. Dr. K. Adisesha
 
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) Curriculum
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) CurriculumPhilippine Edukasyong Pantahanan at Pangkabuhayan (EPP) Curriculum
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) Curriculum
MJDuyan
 
BPSC-105 important questions for june term end exam
BPSC-105 important questions for june term end examBPSC-105 important questions for june term end exam
BPSC-105 important questions for june term end exam
sonukumargpnirsadhan
 
How to Setup Default Value for a Field in Odoo 17
How to Setup Default Value for a Field in Odoo 17How to Setup Default Value for a Field in Odoo 17
How to Setup Default Value for a Field in Odoo 17
Celine George
 
THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...
THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...
THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...
indexPub
 
Contiguity Of Various Message Forms - Rupam Chandra.pptx
Contiguity Of Various Message Forms - Rupam Chandra.pptxContiguity Of Various Message Forms - Rupam Chandra.pptx
Contiguity Of Various Message Forms - Rupam Chandra.pptx
Kalna College
 
220711130083 SUBHASHREE RAKSHIT Internet resources for social science
220711130083 SUBHASHREE RAKSHIT  Internet resources for social science220711130083 SUBHASHREE RAKSHIT  Internet resources for social science
220711130083 SUBHASHREE RAKSHIT Internet resources for social science
Kalna College
 
Simple-Present-Tense xxxxxxxxxxxxxxxxxxx
Simple-Present-Tense xxxxxxxxxxxxxxxxxxxSimple-Present-Tense xxxxxxxxxxxxxxxxxxx
Simple-Present-Tense xxxxxxxxxxxxxxxxxxx
RandolphRadicy
 

Recently uploaded (20)

Standardized tool for Intelligence test.
Standardized tool for Intelligence test.Standardized tool for Intelligence test.
Standardized tool for Intelligence test.
 
A Free 200-Page eBook ~ Brain and Mind Exercise.pptx
A Free 200-Page eBook ~ Brain and Mind Exercise.pptxA Free 200-Page eBook ~ Brain and Mind Exercise.pptx
A Free 200-Page eBook ~ Brain and Mind Exercise.pptx
 
spot a liar (Haiqa 146).pptx Technical writhing and presentation skills
spot a liar (Haiqa 146).pptx Technical writhing and presentation skillsspot a liar (Haiqa 146).pptx Technical writhing and presentation skills
spot a liar (Haiqa 146).pptx Technical writhing and presentation skills
 
Oliver Asks for More by Charles Dickens (9)
Oliver Asks for More by Charles Dickens (9)Oliver Asks for More by Charles Dickens (9)
Oliver Asks for More by Charles Dickens (9)
 
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdfREASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
 
Juneteenth Freedom Day 2024 David Douglas School District
Juneteenth Freedom Day 2024 David Douglas School DistrictJuneteenth Freedom Day 2024 David Douglas School District
Juneteenth Freedom Day 2024 David Douglas School District
 
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
 
CapTechTalks Webinar Slides June 2024 Donovan Wright.pptx
CapTechTalks Webinar Slides June 2024 Donovan Wright.pptxCapTechTalks Webinar Slides June 2024 Donovan Wright.pptx
CapTechTalks Webinar Slides June 2024 Donovan Wright.pptx
 
SWOT analysis in the project Keeping the Memory @live.pptx
SWOT analysis in the project Keeping the Memory @live.pptxSWOT analysis in the project Keeping the Memory @live.pptx
SWOT analysis in the project Keeping the Memory @live.pptx
 
Accounting for Restricted Grants When and How To Record Properly
Accounting for Restricted Grants  When and How To Record ProperlyAccounting for Restricted Grants  When and How To Record Properly
Accounting for Restricted Grants When and How To Record Properly
 
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptxBIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
 
The basics of sentences session 7pptx.pptx
The basics of sentences session 7pptx.pptxThe basics of sentences session 7pptx.pptx
The basics of sentences session 7pptx.pptx
 
Data Structure using C by Dr. K Adisesha .ppsx
Data Structure using C by Dr. K Adisesha .ppsxData Structure using C by Dr. K Adisesha .ppsx
Data Structure using C by Dr. K Adisesha .ppsx
 
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) Curriculum
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) CurriculumPhilippine Edukasyong Pantahanan at Pangkabuhayan (EPP) Curriculum
Philippine Edukasyong Pantahanan at Pangkabuhayan (EPP) Curriculum
 
BPSC-105 important questions for june term end exam
BPSC-105 important questions for june term end examBPSC-105 important questions for june term end exam
BPSC-105 important questions for june term end exam
 
How to Setup Default Value for a Field in Odoo 17
How to Setup Default Value for a Field in Odoo 17How to Setup Default Value for a Field in Odoo 17
How to Setup Default Value for a Field in Odoo 17
 
THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...
THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...
THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...
 
Contiguity Of Various Message Forms - Rupam Chandra.pptx
Contiguity Of Various Message Forms - Rupam Chandra.pptxContiguity Of Various Message Forms - Rupam Chandra.pptx
Contiguity Of Various Message Forms - Rupam Chandra.pptx
 
220711130083 SUBHASHREE RAKSHIT Internet resources for social science
220711130083 SUBHASHREE RAKSHIT  Internet resources for social science220711130083 SUBHASHREE RAKSHIT  Internet resources for social science
220711130083 SUBHASHREE RAKSHIT Internet resources for social science
 
Simple-Present-Tense xxxxxxxxxxxxxxxxxxx
Simple-Present-Tense xxxxxxxxxxxxxxxxxxxSimple-Present-Tense xxxxxxxxxxxxxxxxxxx
Simple-Present-Tense xxxxxxxxxxxxxxxxxxx
 

JS Fest 2019/Autumn. Сергій Стоцький. CASL. Isomorphic Permission Management

  • 2. Who am I and what I do here? Experience: ● working from dark times of IE6 ● PHP, Ruby, Nodejs, ~Java and .NET Core Hobbies: ● chess, books ● articles , open source contribution
  • 6. Why CASL? <div v-if="user.role === 'admin' || post.authorId === user.id"> <button @click="publish">Publish</button> </div>
  • 7. Why CASL? <div v-if="user.role === 'admin' || user.role === 'moderator' || post.authorId === user.id"> <button @click="publish">Publish</button> </div>
  • 9. Why CASL? <div v-if="can('publish')"> <button @click="publish">Publish</button> </div>
  • 10. Why CASL? <div v-if="can('publish', 'Post')"> <button @click="publish">Publish</button> </div>
  • 12. How to CASL Evolve ACL as requirements evolve1 What’s special in CASL? Declarative configuration2 In-memory validation and database queries3 MongoDB-like conditions4 Serializable rules5
  • 13. How to CASLHow to CASLHow to CASL
  • 14. How to CASLPermissions: admin can manage all
  • 15. How to CASLPermissions: writer can create Article can read Article where published = true can read, update Article where author = me can delete, publish Article where author = me and published = false can read, update User where id = me
  • 16. How to CASLPermissions: unauthenticated can read Article where published = true
  • 17. How to CASLCASL: admin can('manage', 'all')
  • 18. How to CASLCASL: admin import { AbilityBuilder } from '@casl/ability' const { can } = AbilityBuilder.extract() can('manage', 'all')
  • 19. How to CASLCASL: writer can('create', 'Article') can('read', 'Article', { published: true }) can(['read', 'update'], 'Article', { authorId: user.id }) can(['delete', 'publish'], 'Article', { authorId: user.id, published: false }) can(['read', 'update'], 'User', { id: user.id })
  • 20. How to CASLCASL: unauthenticated can('read', 'Article', { published: true })
  • 21. How to CASLCASL validation: seeds const myUser = new User({ id: 1, email: 'writer@casl.io' }) const myDraft = new Article({ authorId: myUser.id, published: false }) const myArticle = new Article({ authorId: myUser.id, published: true })
  • 22. How to CASLCASL validation: seeds const anotherUser = new User({ email: 'another.writer@casl.io' }) const anotherDraft = new Article({ ... }) const anotherArticle = new Article({ ... })
  • 23. How to CASLCASL validation: admin import { Ability } from '@casl/ability' import { rulesForAdmin } from './rules' const ability = new Ability(rulesForAdmin()) ability.can('read', 'Article') // true ability.can('read', 'User') // true ability.can('read', myArticle) // true
  • 24. How to CASLCASL validation: writer const ability = new Ability(rulesForWriter(myUser)) ability.can('create', 'Article') // true ability.can('read', anotherDraft) // false ability.can('read', anotherArticle) // true ability.can('read', myDraft) // true ability.can('read', myArticle) // true
  • 25. How to CASLCASL validation: unauthenticated const ability = new Ability(rulesForAnonymous()) ability.can('read', 'Article') // true ability.can('read', anotherArticle) // true ability.can('read', anotherUser) // false ability.can('read', anotherDraft) // false ability.can('create', 'Article') // false
  • 26.
  • 27. How to CASLCASL Demo Vue app Express API
  • 28. How to CASLCASL Alternatives
  • 29. Downloads / month Github stars Size (gzip) Last updated Tree shaking Instance validation Attribute validation DB Queries @casl/ability 105k 1.6k 3.9K 2 weeks ago Yes Yes Yes Yes acl 31k 2.3k 56.6K 2 years ago No No No No accesscontrol 44k 965 7.7K 10 months ago Maybe No Yes No connect-roles 20k 704 5.2K 9 months ago No No No No casbin 16k 670 34.6K 2 months ago Maybe Yes Yes No cancan 1.7k 578 985 1 year ago No Yes No No How to CASLCASL Alternatives
  • 30. THERE IS NO MAGIC HERE
  • 31. How to CASLNo Magic Behind! SQL joins1 Synchronous2 Specification pattern3
  • 32. How to CASLWhat else? NO ROLES IN MY ACL
  • 33. How to CASLWhat else? Feature flags
  • 34. How to CASLWhat else? Hardware capabilities
  • 35. How to CASLWhat else? Business logic async function rulesForUser(user) { const { rules, can, cannot } = AbilityBuilder.extract() can('read', 'Post') if (user.hasActiveSubscription()) { can('update', 'Post', { userId: user.id }) } else { cannot('update', 'Post') .because('Your subscription has been expired') } return rules })
  • 36. CASL Isomorphic Permission Management Sergii Stotskyi sergiy.stotskiy@gmail.com ?