How to Manage User Access in NestJS | Authorization with CASL

Поделиться
HTML-код
  • Опубликовано: 26 дек 2024

Комментарии • 160

  • @mariusespejo
    @mariusespejo  Год назад +23

    Fyi on v6 of CASL the Ability class is deprecated, instead you need to use “createMongoAbility”. For example at 8:04 you should instead use:
    const builder = new AbilityBuilder(createMongoAbility)

    • @fasenderos
      @fasenderos Год назад +5

      For type checking
      const builder = new AbilityBuilder(createMongoAbility);

    • @user-sl1tw9vg8x
      @user-sl1tw9vg8x Год назад +4

      and instead of:
      export type AppAbility = Ability
      use:
      export type AppAbility = MongoAbility
      ?

    • @mariusespejo
      @mariusespejo  Год назад

      That’s right

    • @hateem8287
      @hateem8287 Год назад +2

      I lost it trying to research the new syntax but seems all I had to do is check the comments 😂

    • @helios8567
      @helios8567 Год назад

      @mariusespejo why Mongo? How is CASL related to mongo?

  • @Kotzuo
    @Kotzuo 2 года назад +27

    Dude, seriously, keep doing your tutorials, they are really good, it really saved me when I was learning nest, thanks!

    • @mariusespejo
      @mariusespejo  2 года назад +1

      Glad to have helped! thanks for stopping by to comment 😄

  • @preciousadedibu1821
    @preciousadedibu1821 2 года назад +3

    Your nestjs authentication video helped me land my first full time Job in tech and now your videos are helping me keep it.
    Keep up the good work, you're awesome.

    • @mariusespejo
      @mariusespejo  2 года назад

      That’s awesome man! I’m glad to have helped in some way, Congratulations on getting your first job!

    • @preciousadedibu1821
      @preciousadedibu1821 2 года назад

      @@mariusespejo Thank you

  • @mattc16
    @mattc16 2 года назад +7

    Keep up the great content. I appreciate how you get to the point and assume the viewer has knowledge fundamentals on any included topics (NestJS, Casl). It makes your video title truthful and allows you to dive deeper into the topic without making it too long. Also really appreciate your edits and how clean they are. Not sure how you do it honestly. Keeping the audio going seamlessly while cutting out typos and cutting in typo fixes. Subbed!

    • @mariusespejo
      @mariusespejo  2 года назад +2

      Thank you so much! RUclips has honestly just been sort of a big experiment for me and feedback like yours is very helpful!

  • @Javad3222
    @Javad3222 10 месяцев назад

    Dude your tutorial and presentation is very informative and showing the different ways of implementation is the highlight one . 👍

  • @lifeok6188
    @lifeok6188 2 года назад +1

    Hi @Marius, fantastic content as usual 👏. 0:03 nice presentation 😜 I was featured

  • @oldo-nicho
    @oldo-nicho Год назад

    Revisiting this video after having watched it about a year ago. Such great content. Thank you

  • @mantootripathi7519
    @mantootripathi7519 2 месяца назад

    Simple and great. Thanks for such videos

  • @LeParadoxHD
    @LeParadoxHD 2 года назад +5

    What I personally do is create 2 SetMetadatas, one for the controller to set the entity to use at class level (ex: @SetEntity(User)), and the second one to set the required permission at method level (ex: @RequiresPermission(Action.Update)). Then all the logic to get the entity instance and check for permission is in the AbilityGuard.

    • @Grapeoff
      @Grapeoff 2 года назад +2

      UPD: I had to rewrite my comment because my previous comment got spammed because of the link to my GitHub (Marius, unblock it, please :) there's a lot of useful information for other people and, maybe, for your next video).
      Yeah, I did the same thing. I need to hide data from the user based on his rights and protect my endpoints via action rights. So I created @RequiredRights decorator and ActionRights Guard where I check if the user has required rights or not, also I created @Public decorator to mark endpoints that don't require authorization.
      To hide data from users, I used class-transformer, custom RightsBasedSerializer Interceptor and @SetResponseTransformationType decorator to explicitly mark what type my endpoint returns.
      I think my way is more convenient than CASL.

    • @mariusespejo
      @mariusespejo  2 года назад +1

      Interesting ideas, thanks I will explore those!!
      RagNCode: sorry youtube will automatically delete if you post a link, it’s not even held for review on my end, it’s gone

    • @Grapeoff
      @Grapeoff 2 года назад

      @@mariusespejo If you will need more information, my github nickname is GrapeoffJS, go to CRMServer repo and switch to refactoring branch (pls don’t look at the master branch, there are a lot of messy code, i am embarrassing :))
      It seems there’s no information about my method in the internet, so I had to come up with it by myself, so if you are really inspired by this, my repo can help you I think.

    • @mariusespejo
      @mariusespejo  2 года назад +1

      Thanks for sharing!

  • @thelanelim92
    @thelanelim92 2 года назад

    I was about to comment on your other video to make this video but you already made it. Subscribed. Keep up good work!

  • @hymair
    @hymair 2 года назад +1

    Much cleaner implementation than the one in the Nest docs! Thank you, keep it up!

  • @aghileslounis
    @aghileslounis 2 года назад

    Gifted individual, seriously a pleasure following and learning along with you

  • @shahromkurbonov3117
    @shahromkurbonov3117 9 месяцев назад +1

    Can you share the repository of this code example, please?

  • @ngocludoan2045
    @ngocludoan2045 2 года назад

    Master of NestJs

  • @ridwanabdulkareem4349
    @ridwanabdulkareem4349 4 месяца назад

    2 years later and this is very very helpful to me. Thanks.
    One question though, I am trying to have that kinda policies guard, but I'm having a difficulty pulling the data for the user to do the can check. Any links to read up please?

  • @mraiorigin
    @mraiorigin 2 года назад

    You got a thumbs up before I even saw the video. Keep up the good work!

  • @lucasfontesgaspareto
    @lucasfontesgaspareto Год назад

    amazing teaching, rich knowledge, thank you very much

  • @bemolxd
    @bemolxd 2 года назад

    Another great video! Love that! With ur help I've started my Nestjs journey

  • @permanar_
    @permanar_ 2 года назад

    You're so underated dude like for real!! I'm really inspired so much because of you.
    Plan to make a RUclips Channel that also cover Nest.js if I lucky enough, ha!
    Wish me luck.

    • @mariusespejo
      @mariusespejo  2 года назад

      Go for it! I personally hesitated for way too long. Best advice honestly is to just try it.
      You can get a pretty good sounding usb microphone for fairly cheap nowadays. That’s all you really need!
      It’s not even about luck honestly, mostly just about being persistent. But good luck anyways!

  • @bloodboy21
    @bloodboy21 2 года назад

    Thanks for all your videos, nestjs is my favorite framework like your channel

  • @tuliosan9399
    @tuliosan9399 2 года назад

    I was studying for an interview and nestjs was a requirement. I think I've watched all nestjs videos on this channel at least twice (5 times the teamseas one lol) and now I'm making almost 5 times what I used to do at my old job. Still not sure if I'm dreaming lol

    • @mariusespejo
      @mariusespejo  2 года назад

      Happy to hear that! sounds like you put in the time to prep, and it paid off, nice work 💪💪💪

  • @musbell
    @musbell 2 года назад

    At last! Awesome! Thanks Marius : )

  • @foofighterdaz
    @foofighterdaz 2 года назад

    Yes Marius! You're a machine, thanks!

  • @skryonline5825
    @skryonline5825 Год назад +1

    @deprecated
    use createMongoAbility function instead and MongoAbility interface. In the next major version PureAbility will be renamed to Ability and this class will be removed
    'Ability' is deprecated. Maybe you could update the tutorial or use Casbin instead. Great content, smooth approach to teaching

    • @mariusespejo
      @mariusespejo  Год назад +3

      Good callout, it a minor thing though I wouldn’t make an entirely new video just for that. I did add a pinned comment to mention it.
      As for casbin, not very familiar, but I would personally pick a library purposely built for JS rather than just having a JS version of it.

  • @Elanordt
    @Elanordt 2 года назад +3

    Do you have github repository with those codes?

  • @AmZaDin14
    @AmZaDin14 2 года назад

    I'm really liked your nestjs playlist, because of it's easy to understand explanations, Thanks a lot. Could you make a video about file uploading in NestJS?

    • @mariusespejo
      @mariusespejo  2 года назад +1

      Thanks! I’ll add it to my todo list!

  • @ralfhannuschka8698
    @ralfhannuschka8698 2 года назад

    I can't say thank you enough, but thank you so much for the tutorial it helped me a lot.

  • @larryluck7305
    @larryluck7305 2 года назад

    Super good videos. If I had a well documented open source project I'd definitely be trying to sponsor you do a video on it

  • @yasirhassan8557
    @yasirhassan8557 Год назад

    Great learning. Just wanting to know, if you want to do the update/Patch thing, how would you do with custom decorator?

    • @mariusespejo
      @mariusespejo  Год назад

      I did cover several examples of using the custom decorator for the get/delete. It’s the same exact concept, I recommend go back and review that pattern. Setup your ability to add can/cannot for updates. User the decorator to say that your controller method requires that it can update that subject.

  • @munnazzahaslam
    @munnazzahaslam Год назад

    Great video, helped a lot!

  • @shivanshpatel4072
    @shivanshpatel4072 2 года назад

    I learned alot from your videos

  • @wissembenbrinis5258
    @wissembenbrinis5258 2 года назад

    Keep up the good work bro and thank you

  • @e.magnoneto5101
    @e.magnoneto5101 8 месяцев назад

    Hi marius, i really like you tutorials and helped me a lot. I had a concern about, if a i had another endpoint, like, not a crud endpoint, how i protect them? Or i should had a endpoint like that?

    • @mariusespejo
      @mariusespejo  8 месяцев назад +1

      Not sure I understand your question. Auth really has nothing to do with whether or not it’s a crud endpoint. You would protect any endpoint basically in the same way, it’s all the same fundamentals. With Nest specifically you would use guards to do most of your auth checks

    • @e.magnoneto5101
      @e.magnoneto5101 8 месяцев назад

      Ok, I'll rephrase, I have endpoints different from those of basic CRUD, for example, getall, get, update, delete and create, I have endpoints on the user to add groups, @post /add-user, it is not a common update, as Only some users will be able to do this, not everyone with write permission. How could I do this granular control using casl. Or should I not have an endpoint like that? and only use the common update, e.g. @patch /User.

    • @e.magnoneto5101
      @e.magnoneto5101 8 месяцев назад

      I made some tables, like services and groups, i group can have many services, and one User can hava many Groups. My service table is like: Route, Method, Name, Description. So if a have one group with one service, i can do the request to that service endpoint. I want my guard check if my user have that service. I using the right approach? i dont know, but this is what i´m doing. Pls give a light about it

    • @mariusespejo
      @mariusespejo  8 месяцев назад +1

      Re: your question about /add-user, with CASL you should be able to define granular control. I thought that I covered that in this video but if not, there is another video in my channel where I introduce CASL in detail. But basically you would define an ability off of the “User” subject, such as
      can( ‘create’, User, conditions ) // what conditions is up to you, e.g. { accessLevel: ‘X’ }
      Every user then would then have their ability built off those rules that you put into place.
      If you have a dedicated route for /add-user then you could protect that with a custom guard such as @RequirePermisssions(Permission.CREATE_USER)
      Which internally would simply check userAbility.can(‘create’, User)
      If you instead had a common update endpoint, and wanted granular control depending on what field they are updating then you would do something like
      If (dto.someProperty && userAbility.cannot( ‘update’, User, [ ‘someProperty ] ) then throw new ForbiddenException()
      Basically whatever your granular restrictions are, CASL should be able to model with a combination of action, subject, fields, and conditions. Once you have that model created, you simply create the ability object for each user, and you can do your checks either in guards or within the service layer. It’s up to you. I suggest reviewing CASL docs in detail for all of this to make sense

    • @e.magnoneto5101
      @e.magnoneto5101 8 месяцев назад

      @@mariusespejo thx, i will study more about and try it.

  • @istbanane
    @istbanane 2 года назад

    Thank you for the video. You explain it great.
    It would be great if you could explain this in the context of Angular.
    How can I display pages only for certain users?

    • @mariusespejo
      @mariusespejo  2 года назад

      The fundamentals to understand is that you need to define the permissions and do ability.can() checks where you need to do it.. e.g. you might have ability.can(‘read’, ‘dashboard’) … how you enable/disable routes in your app based on the outcome of that check however is up to you

  • @teknolovedigital
    @teknolovedigital 2 года назад

    Very great video Mr. Espejo. Do you have a plan to make video about nestJs casl with Prisma?

    • @mariusespejo
      @mariusespejo  2 года назад +1

      Potentially, I do want to cover prisma in general in more detail as I learn more about it. As for the casl integration if you need it sooner: as long as you have a good understanding of both prisma and casl, their docs seem straightforward (although I haven’t tried it personally) casl.js.org/v5/en/package/casl-prisma

    • @teknolovedigital
      @teknolovedigital 2 года назад

      @@mariusespejo Thank you for your response. After seeing some of your videos, I finally decided to just use the typeorm.

  • @appacc1600
    @appacc1600 2 года назад

    hi , thank you for your learning series , do you have any learning tutorial about angular and nest , and development and deploy together ?

    • @mariusespejo
      @mariusespejo  2 года назад

      not at the moment, likely won't cover Angular to be honest. If you want your app to deploy to together as one, then you need to setup your pipeline to statically build your angular SPA and have it served up by nest using serve static: docs.nestjs.com/recipes/serve-static

  • @veracsthedefiled
    @veracsthedefiled Год назад

    What about using it with prisma? It needs the actual DB record in the guard, sometimes I need to `include` also and check based on relationship record

  • @louislow2294
    @louislow2294 2 года назад

    Nice content mate! Nice to be learning NestJS Auth in this video.
    BTW what extension did you use to make that fade grey text intellisense appear when you are typing the code?

    • @mariusespejo
      @mariusespejo  2 года назад

      I’m pretty sure that’s actually just a vs code built-in setting but I’m not remembering what’s it’s called at the moment!

  • @timchen3062
    @timchen3062 2 года назад

    I have the same question on this topic recently.
    I implemented the rbac model using casbin to manage Nest Guard Middleware.
    Maybe I can consider CASL as another strategy choice.
    Nice introduction, so good!

    • @mariusespejo
      @mariusespejo  2 года назад +1

      It sounds like Casbin can also do ABAC if you want to switch strategies. Casl though was written in TS so it integrates a bit better with Nest I think

    • @timchen3062
      @timchen3062 2 года назад

      Exactly, appreciate that!

    • @sshahidmalik97
      @sshahidmalik97 Год назад

      @@timchen3062 Can you please share your repo link (if it is public) where you implemented casbin for Nest Guard Middleware, or you can guide me to some resource for the same. Thanks

  • @heisenbergyt49
    @heisenbergyt49 2 года назад +1

    Please make video on NestJs rate limiting using redis storage.

  • @mkroven
    @mkroven 2 года назад

    Great video again. Thank you. I tried nest-casl package. U may extend this subject with that package. And in addition, what do u think about custom logging. For detailed logs I need req in logs and pino offers that?

    • @mariusespejo
      @mariusespejo  2 года назад

      Nest-casl is pretty much just a slightly different implementation of the same thing we did here, only benefit is perhaps slightly less setup.
      For logging, Nest comes with a built in logger if you check the docs, it’s fairly basic. If it’s not good enough for you you can pretty much use any logger library out there and use it as middleware

  • @en_kratia
    @en_kratia 10 месяцев назад

    Thank you.

  • @ahmadalfy
    @ahmadalfy 2 года назад

    This is amazing thank you

  • @ritaross5956
    @ritaross5956 2 года назад

    Hello! Do you have repository to download your this app-code?

  • @alexandermol7131
    @alexandermol7131 Год назад

    I'm getting following error `Conversion of type 'Function' to type '"all"' may be a mistake because neither type sufficiently overlaps with the other.` on detectSubjectType, which is correct. Why aren't you getting this?

    • @hateem8287
      @hateem8287 Год назад

      I'm getting the same issue rn, can you provide the solution in case you fixed that error?

  • @monastyrskiiden
    @monastyrskiiden 2 месяца назад

    @mariusespejo Thank You for this detailed explanation. It's exactly what I was looking for. We are currently working on a huge monolith project, with an in-deep permission system, often we reuse methods from one service in another one. For this reason, we don't use guards but check permissions directly within the service method like in your example. It's quite the same as You showed in the tutorial, there are different organizations, and they have different user groups, so users can have various levels of access, The organization manager can manage everything inside the organization, but the group manager can only manage staff within his group. How would you implement this inside a service method? I find a guard implementation pretty clean and straightforward, but since we reuse service methods within other services directly, I'm afraid that we can find ourselves in a situation when for example user should not be allowed to access the organization, but he will be able to access some data within the organization because method will only check for it's own allowed actions, but not the whole hierarchy.

  • @lovenlive
    @lovenlive 2 года назад

    There is my comment shown there🤩🤩 thank u sir,
    And very helpful video,thank u sir🤩🔥

  • @wenyao
    @wenyao Год назад

    Is it possible to somehow read the path param (e.g. the :id) in the decorator so that the post ID can be part of the rule?

    • @mariusespejo
      @mariusespejo  Год назад +1

      Guards have access to the request and can extract that. But if you’re talking about the decorator that simply sets metadata I don’t think that has access to it.
      If I understand what you might be trying to achieve, it means you’ll have to create a custom guard that constructs the ability dynamically

    • @wenyao
      @wenyao Год назад

      @@mariusespejo so I have a user object which contains a list of posts which the user has access to, so when the user is trying to call a GET /posts/:id I would need to check if this user has permissions for reading this particular post. What would be the best way to achieve this?

    • @mariusespejo
      @mariusespejo  Год назад +1

      Well with CASL you’d achieve that by creating a condition like
      can(‘read’, Post, { id: { $in: user.postIds } })
      Basically your user ability that you create should have that defined in there, then at the time of access checking you just need to perform
      const post = await getPost(id);
      ability.can(‘read’, post);
      Although technically all you need is the Id, which you already have, so you probably don’t need to query the post upfront. So you’d have to work with your subject detection, so maybe you’d create a partial/psuedo post like
      const post = new Post();
      post.id = id;
      can(‘read’, post);
      You can do that logic within a custom guard for example.
      Hope that helps! For more ideas I suggest look through the docs more, ask around in stackoverflow, etc.

  • @hazielcastillo8887
    @hazielcastillo8887 6 месяцев назад

    Thank's!

  • @mamupelu565
    @mamupelu565 8 месяцев назад

    Bro what if I am doing a findAll() with a DTO, but the user should not see all of them because he has no access to it?

    • @mariusespejo
      @mariusespejo  8 месяцев назад

      That’s why you would set up something like CASL or similar, as a tool to check what access users have before performing an action. E.g. if the user is not allowed to see everything you either completely prevent it or you automatically filter by changing your filter to a “find where access matches x user’s privileges/role)

    • @mamupelu565
      @mamupelu565 8 месяцев назад

      @@mariusespejo
      Ok and what if the user can read some entity, and by extent he can read other entities related to it. How would I do that?
      something like
      can(Action.Manage, EntityX);
      can(Action.Manage, EntityY, where: {idEntityX = idEntityX});

  • @CarlosDaniel-yh3yr
    @CarlosDaniel-yh3yr Год назад

    can you share your vs code settings and extensions?

    • @mariusespejo
      @mariusespejo  Год назад

      it’s a lot to share in a comment dude, It’s nothing fancy… mostly defaults. Random color theme. Prettier, thunder client, Bunch of things for frontend like react snippets… what caught your eye?

  • @rickythegermanshepherd5438
    @rickythegermanshepherd5438 2 года назад

    Thank your 🙏

  • @Peter911
    @Peter911 2 года назад

    Is it the same with grapgql or will we need extra configuration

    • @mariusespejo
      @mariusespejo  2 года назад +1

      Guards in nestjs work for both rest and graphql so it should be mostly the same thing with maybe some minor changes

  • @AlexWohlbruck
    @AlexWohlbruck 2 года назад

    how can this pattern work when you need support multiple organizations for a user?

    • @mariusespejo
      @mariusespejo  2 года назад

      CASL doesn’t care however many “organizations” you might have, if you can represent the rules to create the ability for it, then it should work. Again it’s just a mixture of can and cannots. e.g. apply certain rules/ability given the user’s organization and whatever other conditions you might have, that’s totally doable

  • @EmaCeballos
    @EmaCeballos 10 месяцев назад

    Awesome tutorial! Now say instead of the 'user.orgId' property you had to compare against a 'user.org.id' property, how would you nest the $ne condition?

    • @mariusespejo
      @mariusespejo  10 месяцев назад

      Thanks! There is support for nested fields via dot notation, see: casl.js.org/v6/en/advanced/typescript#nested-fields-with-dot-notation

  • @mehmetsayn573
    @mehmetsayn573 Год назад

    what is your template for VScode ?

  • @basitwahid3452
    @basitwahid3452 2 года назад

    Kindly make video roles & permission with graphql

    • @mariusespejo
      @mariusespejo  2 года назад +1

      It’s honestly basically the same thing as what I covered here, guards in nest work for both rest and graphql

  • @ranggasunar9120
    @ranggasunar9120 2 года назад

    Dude, would you like make tutorial hide codebase connection with 2 different env prod and dev, so on the app.module.ts we just change dev or prod

    • @mariusespejo
      @mariusespejo  2 года назад

      Whatever you’re trying to have different between environments should be mostly handled by environment variables, e.g. if you have different database connections then that should be just coming in via env variables

  • @devisguift8686
    @devisguift8686 2 года назад

    Great tutorial thanks for your work, you are great. later can we have a tutorial on integration of multer in a nestjs api for the file and image upload

  • @sagar7929
    @sagar7929 2 года назад

    Also Try to make a tutorial on manage the user through RBAC?
    Does it possible to do?
    With use of prisma🙏🏽

    • @mariusespejo
      @mariusespejo  2 года назад +1

      I did cover basic rbac in the original authorization video that I mentioned. Also casl can also be used for rbac

    • @sagar7929
      @sagar7929 2 года назад

      @@mariusespejo sure I will looking in that tutorial.
      But I need admin can signup/login and create post. I am enum role user and admin where default is user and when i am trying to signup with a admin account but at that times give error. As simply admin account is not created. I used prisma as pg db is there, package use passportjwt, passwortlocal

  • @devsami
    @devsami 2 года назад

    Amazing tutorial, very effective learnt nestjs from your channel.
    I have been implementing casl with nestJs, although I am using database persisted permissions using mongoose.
    but am not able to understand how to check the ability. I have collection of roles:{role, permissionId[]} and a permissions:{action, subject,condition} collection which contains all the permissions. And I have defined ability factory with the Ability constructor and passed the authenticated user permissions in it.
    The only issue is how can I implement gaurd so that I don't have to rewrite the defineAbility and ForbiddenError logic in each controller methods.
    Also is it possible to use Gaurd while using casl-mongoose.
    Please help me!!

    • @mariusespejo
      @mariusespejo  2 года назад

      The purpose of guard is exactly so that you can define that logic in one place and not have to keep re-writing it so I’m not sure I understand your question. Your guard should be reusable. If you have that role/permission info in your database then you need to query it and map it to to an ability… once you have the ability it’s just a matter of checking authorization via can(). The fundamentals is pretty much what I covered in the video

    • @devsami
      @devsami 2 года назад

      @@mariusespejo Thanks for the quick response, I have been reading the casl documentation: cookbook/roles-with-persisted-permissions and in that documentation, it shows how to check the ability using ForbiddenError class: ForbiddenError.from(ability).throwUnlessCan('create', subject('Article', partialArticle)); here in this statement the second argument is the subject of the ability, in this case, it is the Article model and also a partialArticle object which they are creating.
      But the Gaurd which I have used in the project is using the ForbiddenError class to check the ability for each rule:
      rules.forEach((rule) => {
      ForbiddenError.from(ability).throwUnlessCan(rule.action, rule.subject)
      }) here I won't be able to pass the article which I am creating or looking for

  • @bidurnepali7965
    @bidurnepali7965 2 года назад

    Hye Marius great job. Can you do tutorial on casl rulesToQuery method for typeorm?

  • @danieljanjanocha7178
    @danieljanjanocha7178 2 года назад

    Hey, I really like your teaching style. Have you considered a full-blown nest course eg with mongo db (full project a-z) ? I'm sure you'd get a lot of participants on udemy!

    • @mariusespejo
      @mariusespejo  Год назад +1

      Maybe one day! I’m okay with putting stuff out for free for now and just focusing on growing the channel

  • @william3588
    @william3588 2 года назад

    Having the "isAdmin" property kinda defeats the purpose of PBAC? I was thinking on having all my permissions/grants stored on the database and act on them, not on the "isAdmin" property.

    • @mariusespejo
      @mariusespejo  2 года назад +1

      It’s just an extremely simple example of creating abilities off of the data that you have, obviously a real-world example would not be that simple. You absolutely can store your permissions on the database, casl allows you to initialize abilities off of json (for scenarios where the rules are dynamic or remote like yours). My original Casl video just before this one talk about it towards the end, or feel free to check the docs

    • @william3588
      @william3588 2 года назад

      @@mariusespejo thanks!

  • @spiritualprogrammer6797
    @spiritualprogrammer6797 2 года назад

    hello, Marius, thank you for your wonderful tutorial, but I'm stuck on this error:
    Nest can't resolve dependencies of the AbilityFactory (?). Please make sure that the argument CASL_FEATURE_OPTIONS at index [0] is available in the AbilityModule context.
    Possible solutions:
    - If CASL_FEATURE_OPTIONS is a provider, is it part of the current AbilityModule?
    - If CASL_FEATURE_OPTIONS is exported from a separate @Module, is that module imported within AbilityModule?
    @Module({
    imports: [ /* the Module containing CASL_FEATURE_OPTIONS */ ]
    })
    Error: Nest can't resolve dependencies of the AbilityFactory (?). Please make sure that the argument CASL_FEATURE_OPTIONS at index [0] is available in the AbilityModule context.
    Potential solutions:
    - If CASL_FEATURE_OPTIONS is a provider, is it part of the current AbilityModule?
    - If CASL_FEATURE_OPTIONS is exported from a separate @Module, is that module imported within AbilityModule?
    @Module({
    imports: [ /* the Module containing CASL_FEATURE_OPTIONS */ ]
    })

    • @mariusespejo
      @mariusespejo  2 года назад +1

      Did you follow the video as shown? That tells me you’re missing a dependency, did you install casl? Did you register the factory properly as a provider? Don’t think there’s much more to the setup than what I’ve shown here so make sure you didn’t miss any steps

    • @spiritualprogrammer6797
      @spiritualprogrammer6797 2 года назад

      @@mariusespejo Yes I followed the same steps as in the tutorial.
      I found the solution by renaming AbilityFactory to AbilityFactoryService .

  • @gethermedel3620
    @gethermedel3620 2 года назад

    coming from PHP/Laravel, setting this up is complicated compared to as how simple Gates are being implemented in Laravel. well this is expected as this is an external package.

    • @mariusespejo
      @mariusespejo  2 года назад +1

      The setup with Nest I think comes off complex because you have to line up the type definitions to make TS happy, and potentially make custom decorators, but the package itself is fairly simple and easy to use. But maybe laravel is really just simpler lol I’m not familiar

  • @GreenMerlin
    @GreenMerlin Год назад

    Can U create an update for casl v6 ?

    • @mariusespejo
      @mariusespejo  Год назад

      I don’t think there’s any difference, v6 just drops support for angular 13

    • @GreenMerlin
      @GreenMerlin Год назад

      @@mariusespejo it's not clear to me how detectSubejctType should look like in version 6, any hint ? :)

    • @mariusespejo
      @mariusespejo  Год назад

      If you compare the docs it’s basically the same thing between v5 and v6. They deprecated the Ability class in favor of createMongoAbility but I don’t see any other changes

  • @yevhenii9967
    @yevhenii9967 2 года назад

    can you upload this code from video to the github pls

  • @laxmanadhikari3989
    @laxmanadhikari3989 2 года назад

    can you please provide a git repo link, please?

    • @mariusespejo
      @mariusespejo  2 года назад

      Sorry I don’t have a repo for this at the moment

    • @laxmanadhikari3989
      @laxmanadhikari3989 2 года назад

      @@mariusespejo 😔 I am getting issues when I try to read from user table if login user is = to param id if you can provide me that code it will be very helpful

  • @Malcolm777-i
    @Malcolm777-i 2 года назад

    How about casl/prisma? 😀

    • @mattc16
      @mattc16 2 года назад +1

      I would love this with explanations on how to use conditions/fields because at the moment it seems as if conditions and fields can only be implemented outside of a guard (no matter the package). Been banging my head against the wall trying to gain access to those and use some of the @casl/prisma perks like the function accessibleBy(ability).Subject. Really wish they had more in depth examples on the site. Prisma is massively popular so it would be a great in depth video *nudge nudge* lol. Honestly, these NestJS and Casl videos are huge, there’s just not enough quality content on such mainstream libraries. Clientside JS/TS has all of the content with serverside lacking.

  • @odev6764
    @odev6764 2 года назад +1

    Could you share code with us ?

  • @TalebBahan
    @TalebBahan Год назад

    please can you provide the code

  • @gersur
    @gersur 9 месяцев назад

    Please upload this project to your github. I don't want to type manually the codes :(

  • @gosnooky
    @gosnooky 2 года назад

    Nice video. However, I would suggest that you don't ever add business or auth logic to controller methods - that's what services are for. You can derive the user from cookies or JWT via guards. Posting this comment at 17:44

    • @mariusespejo
      @mariusespejo  2 года назад +1

      Guards are actually the more proper place to do it, not services, which I did cover I believe if you watched the rest. And yes that is correct all business logic generally should be in services, but guards are meant to be used for both authentication and authorization.

  • @Debetcher
    @Debetcher 2 года назад

    Nice tutorial, but i think i made something wrong, while my subject and action work fine, coditions and fields have no impact :c

    • @mariusespejo
      @mariusespejo  2 года назад

      You like don’t have subject detection configured properly

  • @ibeeliot
    @ibeeliot 2 года назад

    It would be cool to also see the github for this. =/

  • @Marcos-bo4wm
    @Marcos-bo4wm 2 года назад

    🙏 Promo'SM.