-
-
Notifications
You must be signed in to change notification settings - Fork 274
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
accessibleBy does not throw an error as expected when using createPrismaAbility #794
Comments
Unfortunately it's not possible (at least I cant find a good way to do this). In order to narrow down, conditions I need to return back some In mongoose, there is a way to hook into query execution and return empty result or throw an error. If smth is possible in Prisma ecosystem (maybe with extensions), then potentially we can implement the same logic in Prisma |
In the past, casl-mongoose returned empty set in case user has no access to anything but later some people asked me to raise an exception instead. The issue here is that in case of database query it's impossible to solve this issue, correct me if I'm wrong somewhere. Look at this scenarios: Imagine we have a blog website where multiple authors can write articles and create drafts. Only draft author has access to own drafts. Now we have these situations:
When in this situation should we throw an error? In non of this cases. Only when this user initiates request to fetch drafts of other users (not own) but this may be forbidden technically (e.g., by using Potentially we could check that query somehow partially matched to allowed object will return allowed objects but even this doesn't give 100% guarantee whether user has access to smth or not. Because of queries like Imagine there is a resource in db and when smb access it without proper access, you return 403 -> this tells smth to the hacker:
When you return 404 instead, the hacker don't have these 2 points from the top ^^^ and for him now impossible to know whether this resource even exist. This is how github works, in case you access private repo, you will get 404 not 403. And from encapsulation and information hiding standpoint, this is nice. |
I found a way to return an empty list from db instead of throwing exception -> https://www.prisma.io/docs/concepts/components/prisma-client/null-and-undefined#the-effect-of-null-and-undefined-on-conditionals Basically if there is |
Describe the bug
I am using casl with the Prisma plugin. So far I think everything is working really nicely, but I've noticed that that the
accessibleBy
function does not throw an error when a restricted resource is being accessed, instead it seems to simply narrow the search query, so that nothing is returned if the user does not have permission to access the resource.To Reproduce
For example, here I've defined my ability:
Expected behavior
As mentioned in the documentation I am expecting a
ForbiddenError
to be thrown. However it seems that this query simply returns:suggesting that the
can
simply narrows the search results rather than throw an exception. Using afindFirst
and not using any filters and then asserting afterwards like so:seems to work, but this does not seem to be the intended behaviour.
CASL Version
"@casl/ability": "^6.5.0",
"@casl/prisma": "^1.4.0",
"@casl/react": "^3.1.0",
Environment:
node: ^18
The text was updated successfully, but these errors were encountered: