Skip to content
πŸ”‘ Pleasant authorization library for Node.js
Branch: master
Clone or download
jabedhasan21 and vadimdemedes Fix typo in documentation (#32)
* Fix typo in documentation

* Update
Latest commit 9249ec2 May 20, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
media add new logo Dec 3, 2016
.editorconfig update editorconfig Nov 28, 2016
.gitignore update repo Oct 24, 2015
.travis.yml improvements and fixes Jun 26, 2017
index.js Support passing options to a rule condition (#30) Dec 2, 2017
license improvements and fixes Jun 26, 2017
package.json 3.1.0 Dec 2, 2017 Fix typo in documentation (#32) May 20, 2018
test.js Support passing options to a rule condition (#30) Dec 2, 2017

Build Status

Authorize easily.

CanCan provides a simple API for handling authorization of actions. Permissions are defined and validated using simple allow() and can() functions respectively.

CanCan is inspired by Ryan Bates' cancan.


$ npm install --save cancan


const CanCan = require('cancan');

const cancan = new CanCan();
const {allow, can} = cancan;

class User {}
class Product {}

allow(User, 'view', Product);

const user = new User();
const product = new Product();

can(user, 'view', product);
//=> true

can(user, 'edit', product);
//=> false


allow(model, action, target, [condition])

Adds a new access rule.


Type: class (function)

Configure the rule for instances of this class.


Type: array|string

Name(s) of actions to allow. If action name is manage, it allows any action.


Type: array|class|string

Scope this rule to the instances of this class. If value is "all", rule applies to all models.


Type: object|function

Optional callback to apply additional checks on both target and action performers.


// allow users to view all public posts
allow(User, 'view', Post, {public: true});

// allow users to edit and delete their posts
allow(User, ['edit', 'delete'], Post, (user, post) => post.authorId ===;

// allow editors to do anything with all posts
allow(Editor, 'manage', Post);

// allow admins to do anything with everything
allow(AdminUser, 'manage', 'all');

can(instance, action, target[, options])

Checks if the action is possible on target by instance.


Type: object

Instance that wants to perform the action.


Type: string

Action name.


Type: object

Target against which the action would be performed.


Type: object

Additional data for the rule condition.


const user = new User();
const post = new Post();

can(user, 'view', post);

With the use of 'options' parameter

const admin = new User({role: 'administrator'});
const user = new User({role: 'user'});

allow(User, 'update', User, (user, target, options) => {
	if (user.role === 'administrator') {
		return true;

	// Don't let regular user update their role
	if (user.role === 'user' && options.fields.includes('role')) {
		return false;

	return true;

can(admin, 'update', user, {fields: ['role']});
//=> true

can(user, 'update', user, {fields: ['username']});
//=> true

can(user, 'update', user, {fields: ['role']});
//=> false

cannot(instance, action, target[, options])

Inverse of .can().

authorize(instance, action, target[, options])

Same as .can(), but throws an error instead of returning false.


MIT Β© Vadim Demedes

You can’t perform that action at this time.