Allow accessibleBy to throw ForbiddenError when the query denied #404
Comments
|
Hi, Thanks for the issue. Frankly speaking, it’s requirement is a bit hard to implement. And this is why:
Thus exception throwing needs to be implemented on internals of mongoose query, which is a bit unsafe and probably won’t work in all cases. I also need to say that I haven’t checked mongoose source code for about year so maybe something changed and there is a better way. If you know how to do this, please share :) also if you can implement it and send PR, it’d be awesome |
|
Thanks for the quick reply, I think another (maybe easier) solution can be maybe changing I'll try to look into mongoose's source code as well and maybe come up with something. |
|
Currently the workaround is to check permissions on subject type before constructing query. Just do if (!ability.can(“read”, “Todo”)){
// user has no access to do at all
}
// user has access let’s see whether there is something in the database for him
Todo.accessibleBy(...) |
|
I found private |
|
@stalniy : Is it documented somewhere? I never heard of it or saw it in Mongoose's documentation. |
|
Undocumented private method. There will be additional logic that will prevent data exposure in case of insufficient permissions. update: I created an issue Automattic/mongoose#9784 |
|
I think that it's possible just to monkey patch |
|
will be released in the next version |
@stalniy Thank you so much! |
|
🎉 This issue has been resolved in version 4.0.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
|
This is not working for me and I'm still getting a null. Anyone else having this issue? I'm using casl 5.4.3 and casl/mongoose 5.0.0
|
|
In order, to reproduce your case I need to see rules. There is only one reason for this thing to throw, if there is no rules or it can understand that rules will evaluate to nothing. If there are conditions which are checked by db, and there is nothing found due to restrictions of conditions, there is no way to know whether the item exist and forbidden or it doesn’t exist at all. Very likely it’s your case |
|
That makes sense, your evaluation is correct! Thank you! |
Is your feature request related to a problem? Please describe.
First thanks for this amazing library, it's really helpful in many ways.
By using
@casl/mongooseand for example ExpressJS I'm trying to find a way to distinguish between"document not found" and "forbidden" errors.
For example here:
In both cases when either the document is not found or the user is not allowed to access it
nullis returned intodovariable.Describe the solution you'd like
By giving the option (maybe by adding an argument to
.accessibleByor even better: plugin configuration) to throwForbiddenErrorautomatically in case of authorization failure we can return 403 status to any caughtForbiddenErrorthrown by the endpoints.For example:
Describe alternatives you've considered (optional)
Using mongoose's .orFail() method, but instead integrating this ability in
@casl/mongoosecan really ease the usage in most of the cases instead of patching every endpoint.The text was updated successfully, but these errors were encountered: