Question to rules behaviour

[amrap030]

Hello,

in my application, I am updateing the abilities instance with the following rules:

ability.update([
      { action: ['view', 'manage'], subject: 'Process' },
      {
        action: ['view'],
        subject: 'Process',
        conditions: { id: { $in: ['_dcc316cc-67a1-4b7a-929b-831e73b06f2a'] } },
      },
 ])

I was expecting, that a user only has view permissions on the resource with the id _dcc316cc-67a1-4b7a-929b-831e73b06f2a, but has manage permissions, when I ask ability.can('manage', 'Process') with 'Process' as a string. However, the user has also manage permissions on the specific resource in this case. Can this behaviour be changed, or is this correct?

[stalniy]

It’s expected. Rule without condition specifies that user is able to perform action on any resource of specified type.

Please refer to guide for more details. But in short your rules say:

1. User can view/manage any Process
2. OR user can view Proccess with Id = xxx

[amrap030]

Hey @stalniy , thank you for the reply. So is it not possible to enforce the first rule on a statement such as $can('manage', 'Process') and only enforce the rules with conditions when I directly pass an object into $can('update', process)? Maybe with some configuration?

Maybe some background on this:

Users in our application get permissions by roles. I would like to replicate this with the first rule, as some kind of global rule for processes. For example, when I want to hide or show a button to create a new process, I would like to enforce the first rule by $can('manage', 'Process'). However, the processes I fetch from the backend have a permission attached, and these could be completely different, because these processes could come from a share with only view permissions. However, because of the first rule from my role, I also have the manage permission on this process. How can I resolve this problem?

[HommeSauvage]

Maybe you should be more granular:

ability.update([
      { action: ['create'], subject: 'Process' },
      {
        action: ['update'],
        subject: 'Process',
        conditions: { id: { $in: [...processesThatCanBeUpdated] } }
      },
      {
        action: ['view'],
        subject: 'Process',
        conditions: { id: { $in: [...processesThatCanBeViewed] } }
      },
 ])

Instead of manage, you can create an alias without the view permission and define the view in your update to only the processes you want.

If you do a can('manage', 'Process'), you're giving permission to view ALL processes to the user.