#CASL issue

1 messages · Page 1 of 1 (latest)

jagged ore Jun 24, 2023, 6:14 AM

These are the different types of users in my app: ```export const enum USER_TYPE {
SUPER_ADMIN = 'SUPER_ADMIN',
ADMIN = 'ADMIN',
COMPANY_ADMIN = 'COMPANY_ADMIN',
STORE_ADMIN = 'STORE_ADMIN',
MANAGER = 'MANAGER',
}

export const USER_TYPE_ORDER = {
SUPER_ADMIN: 1,
ADMIN: 2,
COMPANY_ADMIN: 3,
STORE_ADMIN: 4,
MANAGER: 5,
};


The AppAbility file code: ```
export function defineAbilitiesFor(user) {
  const { can, build } = new AbilityBuilder(createMongoAbility);

  if (user.role === USER_TYPE.SUPER_ADMIN) {
    can('manage', 'all');
  } else if (user.role === USER_TYPE.ADMIN) {
    can('create', user, { userType: { $gte: USER_TYPE_ORDER.ADMIN } });
  } else if (user.role === USER_TYPE.COMPANY_ADMIN) {
    can('create', user, { userType: { $gte: USER_TYPE_ORDER.COMPANY_ADMIN } });
  } else if (user.role === USER_TYPE.STORE_ADMIN) {
    can('create', user, { userType: { $gte: USER_TYPE_ORDER.STORE_ADMIN } });
  } else if (user.role === USER_TYPE.MANAGER) {
}
  return build();
}

User creation logic: ADMIN user can create users such as COMPANY_ADMIN, STORE_ADMIN, MANAGER, but COMPANY_ADMIN cannot create ADMIN or SUPER_ADMIN, and so on and so forth. but this is not working instead it throws Forbidden error. I am currently logged in as an ADMIN user and trying to create a COMPANY_ADMIN user but not working.

The RolesGuard code: ```
@Injectable()
export class RolesGuard implements CanActivate {
constructor(
private readonly reflector: Reflector,
private readonly jwtService: JwtService,
private readonly redisService: RedisService
) {}

async canActivate(context: ExecutionContext): Promise<boolean> {
    const requiredRoles = this.reflector.getAllAndOverride<string[]>('roles', [context.getHandler(), context.getClass()]);

    const request = context.switchToHttp().getRequest();
    const bearerToken = request.headers.authorization;
    if (!bearerToken || !bearerToken.startsWith('Bearer ')) return false;

    const token = bearerToken.split(' ')[1];
    try {
        const decoded = this.jwtService.verifyAccessToken(token);
        const userRole = decoded.userType;

        request.user = decoded;

        const user = { role: userRole };
        const abilities = defineAbilitiesFor(user);

        const canAccess = requiredRoles.some((role) => abilities.can(role, 'any'));

        if (!canAccess) return false;

        const userId = decoded.userId;
        const loggedIn = await this.redisService.getValue(userId);
        if (!loggedIn) return false;

        return true;
    } catch (error) {
        return false;
    }
}

}```

My user entity file: ```@Schema({
collection: DATABASE_COLLECTION.USER,
timestamps: true,
})
@ObjectType()
export class User extends Model<IUser> {
@Prop({ required: true, unique: true, trim: true })
email: string;

@Prop({ required: true })
password: string;

@Prop({ trim: true })
name: string;

@Prop({ trim: true })
phone: string;

@Prop({ required: true })
type: USER_TYPE;

}

export const UserSchema = SchemaFactory.createForClass(User);```

The registration method: @Post('register') @UseGuards(RolesGuard) @Roles("SUPER_ADMIN",'ADMIN', 'COMPANY_ADMIN') @HttpCode(201) async register(@Body() userData: CreateUserDto): Promise<any> { try { const user = await firstValueFrom(this.userService.Signup(userData)); return sendSuccess(user); } catch (error) { throw new BadRequestException(error.message); } }