How to apply the CASL authorization accessibleBy filter the right way?

[m1212e]

Hi, I use CASL for authorization. To be precise, I use its prisma integration which allows me to specify permissions based on my database structure like this:

export const defineAbilitiesForConference = (
  session: Session,
  { can }: AbilityBuilder<AppAbility>,
) => {
  if (session.data?.loggedIn && session.data.user) {
    const user = session.data.user;
    can("create", "Conference");
    can(["list", "read"], "Conference", {
      OR: [
        { members: { some: { user: { id: user.id } } } },
        {
          committees: {
            some: { members: { some: { user: { id: user.id } } } },
          },
        },
      ],
    });
    can(["update", "delete"], "Conference", {
      members: { some: { user: { id: user.id }, role: "ADMIN" } },
    });
  }
};

Coming from a simple REST api I simply injected the accessibleBy helper into my database query to filter out results the user could not access or throw an error in case the user can't access anything:

  api.get(
    "/conference",
    ({ permissions }) =>
      db.conference.findMany({
        where: permissions.allowDatabaseAccessTo("list").Conference,
      }),
    {
      detail: {
        description: "Get all conferences",
      },
    },
  )

this works pretty nice since I simply can declaratively specify which entities are accessible/readable/listable etc. under which specific conditions.
Now I would like to switch to a graphql api (I'm new to the whole thing, please forgive me any misunderstandings :D) and I start defining resolvers and objects. E.g. coming from the example of the docs, adapted to my usecase from above I think this would be something like this:

builder.prismaObject("Conference", {
  fields: (t) => ({
    id: t.exposeID("id"),
    name: t.exposeString("name"),
    committees: t.relation("committees"),
  }),
});

builder.prismaObject("Committee", {
  fields: (t) => ({
    id: t.exposeID("id"),
    name: t.exposeString("name"),
    members: t.relation("members"), // I'll omit further definitions from this point on since it's tightly related with various tables
  }),
});

builder.queryType({
  fields: (t) => ({
    findConferences: t.prismaField({
      type: ["Conference"],
      resolve: async (query, root, args, ctx, info) => {
        // if I'd like to adjust the args for more filters, I'd add them here
        args.where = ctx.permissions.allowDatabaseAccessTo("list").Conference;
        return db.conference.findMany({
          ...query,
        });
      },
    }),
  }),
});

And this works fine, as long as I only look at the non relations. So conferences the user does not have access to are filtered out just as I expect it to.
But the committees are not. I totally see why, when the requests wants the committee relation, something like this:

query {
  findConferences {
    name
    committees{
      name
    }
  }
}

the database query obviously just returns all entries which are related.

So now to my question: How can I elegantly run the permission filter/checks for relation queries? Do you have an easily comprehensible example for a scenario similar to mine? Or just some general advice on API structure/design which I can follow to tackle this?

I need something similar to the args.where = ctx.permissions.allowDatabaseAccessTo("list").Conference; condition injected into the query for the related entities. In this case it would be ctx.permissions.allowDatabaseAccessTo("list").Committee; to be precise since that would only return entities the user may actually list.

Thank you so much for your time and work!

[hayes]

I don't have any experience working with CASL, but the scope auth plugin is probably a good place to start: https://pothos-graphql.dev/docs/plugins/scope-auth

I think your idea of filtering down inside the queries is good, I've do that in a lot of the APIs I've worked on.

For filtering nested relations, the t.relation method can take a query option that can use, as long as you can generate the query syncronously, eg: t.relation('committees', { query: (args, context) => ({ where: ctx.permissions.allowDatabaseAccessTo("list").Committee }) })

[m1212e]

Ohh thats a nice idea! I'll give that a shot, thanks!

[jbeckton]

@m1212e Try and use the CASL Prisma function called accessibleBy(), You can concatenate the results from calling const where1 = accessibleBy(abilities, 'read').Conference and const where2 = accessibleBy(abilities, 'read').Committee. You will have two objects, one for the where for Conference and one for the where for Committee. Just join those together properly to make where clause for the relation. In your include object you can use the second where input to filter the relation.