Record-level Permissions in HazelJS with @hazeljs/casl

@hazeljs/auth ships RoleGuard and TenantGuard — and between those two primitives you can express most access control policies. A route can require a minimum role, and the tenant guard ensures you are never looking at another organisation's data. That covers probably 90% of real-world requirements. The remaining 10% is the hard part: ownership . Questions like "can this user edit this specific task?" cannot be answered at the route level, because the route executes before you have fetched the record. The answer depends on the data itself — who the record is assigned to, what state it is in, whether the caller owns it. @hazeljs/casl is the answer to that 10%. What RBAC alone cannot express Consider a task management API. The business rules for a regular user role are: Can read any task in their organisation. Can create new tasks. Can update a task — only if it is assigned to them. Can delete a task — only if it is assigned to them and the status is still todo . The first two rules fit cl

Record-level Permissions in HazelJS with @hazeljs/casl

Related Articles

How to Install and Start Using LineageOS on your Phone

What Should Kids Learn After Scratch? Comparing Programming Languages

BYD rolls out EV batteries with 5-minute ‘flash charging.’ But there’s a catch.

Trump gets data center companies to pledge to pay for power generation

Building an Interactive Fiction Format with Codex as a Development Partner

Related Articles

How-To
How to Install and Start Using LineageOS on your Phone
Lobsters • 59m ago

How-To
What Should Kids Learn After Scratch? Comparing Programming Languages
Medium Programming • 4h ago

How-To
BYD rolls out EV batteries with 5-minute ‘flash charging.’ But there’s a catch.
TechCrunch • 5h ago

How-To
Trump gets data center companies to pledge to pay for power generation
Ars Technica • 6h ago

How-To
Building an Interactive Fiction Format with Codex as a Development Partner
Medium Programming • 8h ago