"accessible by" feature for ORM integrations

[aguynamedben]

I've used authorization frameworks that have such tight integration with ORMs that you can write controllers like this:

# get posts, but only the ones allowed for Ben!
def get_posts_for_ben
  ben = User.find_by(email: "ben@email.com")
  ability = Ability.for_user(ben)
  @posts = Post.accessible_by(ability)

There are a few authorization libraries I know of that have this capability:

• cancancan (Ruby) - https://www.rubydoc.info/github/CanCanCommunity/cancancan/CanCan%2FModelAdditions%2FClassMethods:accessible_by
• CASL (JavaScript/TypeScript) - https://casl.js.org/v5/en/package/casl-prisma#finding-accessible-records

This Authorization framework + ORM integration increases safety and simplifies development. A new engineer can join a project, write business logic, chain .accessible_by, and respect for the ACL is built into the queries at a low-level.

Do you know of any ORM integrations with casbin that provide this? (in any language) I'm looking at casbin-gorm and other adapters, but don't see this level of ORM integration. Do you know of any adapters or other libraries have this as a goal?

Thank you!

[casbin-bot]

@tangyang9464 @JalinWang

[jeremycare]

@aguynamedben, We are also facing the same problem with Casbin vs CASL.

I don't see a proper way to do number 4 with Casbin, really I wasn't able to find anything in the documentation that talks about such things..

Were you able to find something?

[casbin-bot]

@tangyang9464 @JalinWang @imp2002

[hsluoyz]

We can implement GetAllowedRecordsForUser() first in gorm-adapter as an example. Then extend to other Go adapters and even other languages of Casbin

@PokIsemaine