feat: enforce access control

crazyoptimist · May 31, 2024 · 97e0730 · 97e0730
1 parent 22e6941
commit 97e0730
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 1 deletion.
diff --git a/src/modules/infrastructure/casl/casl-ability.factory.ts b/src/modules/infrastructure/casl/casl-ability.factory.ts
@@ -8,6 +8,7 @@ import {
 import { Injectable } from '@nestjs/common';
 import { Action } from './action.enum';
 import { User } from '@app/modules/user/user.entity';
+import { RoleEnum } from '@app/modules/user/role.entity';
 
 type Subjects = InferSubjects<typeof User | User> | 'all';
 
@@ -20,7 +21,12 @@ export class CaslAbilityFactory {
       PureAbility as AbilityClass<AppAbility>,
     );
 
-    // TODO: Build abilities
+    const userRoles = user.roles.map((item) => item.name);
+
+    // Build it precisely :)
+    if (userRoles.includes(RoleEnum.Admin)) {
+      can(Action.Manage, 'all');
+    }
 
     return build({
       detectSubjectType: (subject) =>

diff --git a/src/modules/main/app.module.ts b/src/modules/main/app.module.ts
@@ -14,6 +14,7 @@ import { AuthModule } from '@modules/auth/auth.module';
 import { JwtAuthGuard } from '@modules/auth/passport/jwt.guard';
 import { CommonModule } from '@modules/common/common.module';
 import { UserModule } from '@modules/user/user.module';
+import { CaslModule } from '@modules/infrastructure/casl/casl.module';
 
 @Module({
   imports: [
@@ -66,6 +67,7 @@ import { UserModule } from '@modules/user/user.module';
     CommonModule,
     UserModule,
     AuthModule,
+    CaslModule,
   ],
   controllers: [AppController],
   providers: [

diff --git a/src/modules/user/user.controller.ts b/src/modules/user/user.controller.ts
@@ -8,6 +8,7 @@ import {
   Delete,
   Query,
   Res,
+  UseGuards,
 } from '@nestjs/common';
 import { ApiResponse, ApiTags, ApiBearerAuth } from '@nestjs/swagger';
 import { Response } from 'express';
@@ -21,13 +22,19 @@ import {
   getSortParams,
 } from '@app/utils/query-param.util';
 import { TOTAL_COUNT_HEADER_KEY } from '@app/constants';
+import { PoliciesGuard } from '../infrastructure/casl/policies.guard';
+import { CheckPolicies } from '../infrastructure/casl/check-policies.decorator';
+import { Action } from '../infrastructure/casl/action.enum';
+import { User } from './user.entity';
 
 @Controller('api/users')
 @ApiTags('users')
 export class UserController {
   constructor(private readonly userService: UserService) {}
 
   @Post()
+  @UseGuards(PoliciesGuard)
+  @CheckPolicies((ability) => ability.can(Action.Create, User))
   @ApiBearerAuth()
   @ApiResponse({ status: 201, description: 'New User Created' })
   @ApiResponse({ status: 400, description: 'Bad Request' })
@@ -37,6 +44,8 @@ export class UserController {
   }
 
   @Get()
+  @UseGuards(PoliciesGuard)
+  @CheckPolicies((ability) => ability.can(Action.Read, User))
   @ApiBearerAuth()
   @ApiResponse({ status: 200, description: 'All Users' })
   @ApiResponse({ status: 401, description: 'Unauthorized' })
@@ -60,6 +69,8 @@ export class UserController {
   }
 
   @Get(':id')
+  @UseGuards(PoliciesGuard)
+  @CheckPolicies((ability) => ability.can(Action.Read, User))
   @ApiBearerAuth()
   @ApiResponse({ status: 200, description: 'User For Given ID' })
   @ApiResponse({ status: 401, description: 'Unauthorized' })
@@ -69,6 +80,8 @@ export class UserController {
   }
 
   @Patch(':id')
+  @UseGuards(PoliciesGuard)
+  @CheckPolicies((ability) => ability.can(Action.Update, User))
   @ApiBearerAuth()
   @ApiResponse({ status: 200, description: 'Successful Update' })
   @ApiResponse({ status: 400, description: 'Bad Request' })
@@ -82,6 +95,8 @@ export class UserController {
   }
 
   @Delete(':id')
+  @UseGuards(PoliciesGuard)
+  @CheckPolicies((ability) => ability.can(Action.Delete, User))
   @ApiBearerAuth()
   @ApiResponse({ status: 200, description: 'Successful Delete' })
   @ApiResponse({ status: 400, description: 'Bad Request' })