Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inverted-only rules #170

Closed
liukaren opened this issue Mar 22, 2019 · 4 comments
Closed

Inverted-only rules #170

liukaren opened this issue Mar 22, 2019 · 4 comments
Labels
bug casl/mongoose

Comments

@liukaren
Copy link
Contributor

Is the case of inverted-only rules in the casl-mongoose library supported?

For example, if I add this test case to the mongo-query spec:

it('ignores inverted-only rules', () => {
  const ability = AbilityBuilder.define((can, cannot) => {
    cannot('read', 'Post', { private: true })
  })
  const query = toMongoQuery(ability, 'Post')

  expect(query).to.equal(null)
})

It fails with: AssertionError: expected { '$and': [ { '$nor': [Object] } ] } to equal null, so it will query for all non-private Posts, instead of no Posts.

Perhaps it is silly to only have a negative rule, but I noticed this when I wanted to copy-paste a negative rule across the board, and it granted permissions to some abilities that had no permissions in the first place.
@stalniy
Copy link
Owner

stalniy commented Mar 22, 2019

This is a bug. Thanks for the issue!

So, I think the proposed fix is to check if there are only inverted rules then return null

@liukaren
Copy link
Contributor Author

Yes, sounds good to me! 👍

@stalniy
Copy link
Owner

stalniy commented Mar 25, 2019

Fixed in @casl/[email protected]

@liukaren
Copy link
Contributor Author

So fast! Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug casl/mongoose
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stalniy @liukaren