Im using CASL rect to setup authorization in my javascript project.
It is nice when I have to ask, if a user has the access to edit an article because he is the author.
But when I have more then one author, how I may check that the current user may edit this article?
<Can I='edit' a={{ editor_ids: article.editor_ids, type: 'Article' }}
I do not understand how to check that the current user id is in the editor_ids in the ability.
can('edit', 'Article', { editor_ids: ....something here for currentUser.id .... })
You can find details about this in Supported operators and in Common conditions
In your particular example:
Define ability:
import { defineAbility } from '@casl/ability'
const options = {
// https://casl.js.org/v4/en/guide/subject-type-detection
detectSubjectType: /* logic to detect subject type */
}
export const createAbilityFor = (currentUser) => defineAbility(options, (can) => {
can('edit', 'Article', { editor_ids: currentUser.id }) // can edit article if user.id is in editor_ids
})
Check permissions:
// createAbilityFor is a function from prev example
const currentUser = { id: 1 }
const ability = createAbilityFor(currentUser);
ability.can('edit', { type: 'Article', editor_ids: [1, 2, 3] }) // true
ability.can('edit', { type: 'Article', editor_ids: [3, 4, 5] }) // false