Strategy for creates using Prisma

[KATT]

Hey!

I've just started playing around with CASL and using the Prisma-adapter I have a pretty basic use-case question that I'm surprised that I can't find the answer to, so it must be me being silly.

What is unclear to me right now, is how to handle restricted events on writes. On read it's pretty straight-forward to spread the accessibleBy(ability, 'read').Attachment or similar.

Given a a project with an ability that looks something like this:

import { AbilityBuilder, AbilityClass } from '@casl/ability';
import { PrismaAbility, Subjects, accessibleBy } from '@casl/prisma';
import * as Models from '@prisma/client';
import { Session } from 'next-auth';

export type AppAbility = PrismaAbility<
  [
    string,
    Subjects<{
      User: Models.User;
      Organization: Models.Organization
      OrganizationUser: Models.OrganizationUser;;
      Post: Models.Post;
    }>,
  ]
>;

function getAbility(user: UserDetails) {
  const AppAbility = PrismaAbility as AbilityClass<AppAbility>;
  // eslint-disable-next-line @typescript-eslint/unbound-method
  const builder = new AbilityBuilder(AppAbility);

  const email = session?.user?.email;
  if (!email) {
    return builder.build();
  }
  // we can read and write all `Post`s in our own organizatiion
  builder.can('write', 'Post', {
    organizationId: {
      in: user.memberships.map((it) => it.organization.id),
    },
  });
  builder.can('read', 'Post', {
    organizationId: {
      in: user.memberships.map((it) => it.organization.id),
    },
  });
  const ability = builder.build();

  return ability;
}

How can I restrict this function that creates a Post to make sure they only can create Posts within their own organization?

async function createPost(data: Prisma: PostUncheckedCreateInput) {
  // TODO Add ACL-check here based on `data.organizationId` <-----------------

  return await prisma.post.create({
    data,
  })
}

Really appreciate the help. CASL looks awesome.

[d-tw]

Hi @KATT - did you ever find a solution for this?

[johnsonjo4531]

@KATT @d-tw I'm not familiar with Prisma, but wouldn't you just do the check on the ability before the create on the data itself:

async function createPost(data: PostUncheckedCreateInput, prisma, user) {
  const ability = getAbility(user);
  if(!ability.can("write", "Post", data)) throw new Error("Not Authorized!");

  return await prisma.post.create({
    data,
  })
}