Skip to content
🔑 Pleasant authorization library for Node.js
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore update repo Oct 24, 2015
license improvements and fixes Jun 26, 2017
package.json 3.1.0 Dec 2, 2017 Fix typo in documentation (#32) May 20, 2018
test.js Support passing options to a rule condition (#30) Dec 2, 2017

Build Status

Authorize easily.

CanCan provides a simple API for handling authorization of actions. Permissions are defined and validated using simple allow() and can() functions respectively.

CanCan is inspired by Ryan Bates' cancan.


$ npm install --save cancan


const CanCan = require('cancan');

const cancan = new CanCan();
const {allow, can} = cancan;

class User {}
class Product {}

allow(User, 'view', Product);

const user = new User();
const product = new Product();

can(user, 'view', product);
//=> true

can(user, 'edit', product);
//=> false


allow(model, action, target, [condition])

Adds a new access rule.


Type: class (function)

Configure the rule for instances of this class.


Type: array|string

Name(s) of actions to allow. If action name is manage, it allows any action.


Type: array|class|string

Scope this rule to the instances of this class. If value is "all", rule applies to all models.


Type: object|function

Optional callback to apply additional checks on both target and action performers.


// allow users to view all public posts
allow(User, 'view', Post, {public: true});

// allow users to edit and delete their posts
allow(User, ['edit', 'delete'], Post, (user, post) => post.authorId ===;

// allow editors to do anything with all posts
allow(Editor, 'manage', Post);

// allow admins to do anything with everything
allow(AdminUser, 'manage', 'all');

can(instance, action, target[, options])

Checks if the action is possible on target by instance.


Type: object

Instance that wants to perform the action.


Type: string

Action name.


Type: object

Target against which the action would be performed.


Type: object

Additional data for the rule condition.


const user = new User();
const post = new Post();

can(user, 'view', post);

With the use of 'options' parameter

const admin = new User({role: 'administrator'});
const user = new User({role: 'user'});

allow(User, 'update', User, (user, target, options) => {
	if (user.role === 'administrator') {
		return true;

	// Don't let regular user update their role
	if (user.role === 'user' && options.fields.includes('role')) {
		return false;

	return true;

can(admin, 'update', user, {fields: ['role']});
//=> true

can(user, 'update', user, {fields: ['username']});
//=> true

can(user, 'update', user, {fields: ['role']});
//=> false

cannot(instance, action, target[, options])

Inverse of .can().

authorize(instance, action, target[, options])

Same as .can(), but throws an error instead of returning false.


MIT © Vadim Demedes

You can’t perform that action at this time.