I'm trying to handle bulk operations with conditions.
To do this
With this approach and the mongo conditions, $all seems to do the comparison in reverse. Instead of checking if all the ids in the conditions of the subject are present in the ability, it seems to check if all the ids in the conditions of the ability are present in the subject.
The ability has the following condition
{ serviceIds: { $in: [1, 2] } }
For a bulk delete request, I compute the resources that it affects and build the subject such as
makeSubject(subject, { serviceIds: [1, 2, 3, 4] })
Since the checking is reversed, this request which asks for more than the user has access to succeeds. It checks if all of the ability conditions [1, 2] is present in all of the subject conditions [1, 2, 3, 4] instead of the opposite. Ideally this request should be blocked.
Maybe I'm just misunderstanding how this works in general. But that sums up what I want to achieve. If not this way, how else can I achieve this?
The right way to do it is to just break the request down to resources and running ability.can iteratively on each requested subject item.
I realized that CASL doesn't works with single resources. Since we use authorization and deal with permissions on a request level, I was trying to make it work with bulk requests such as can I delete serviceIds: [1, 2, 3, 4] and trying to match it to user's DELETE POST serviceIds: [1, 2] permission.