Ability file
This file is the main entrypoint for your rules, it will instantiate Guard and assign the specified types.
See: app/guard/ability.ts
#
RulesThe ability file is read top to bottom, the bottom rules take more precedence that the ones at the top.
Take the following example:
#
Best practicesRemove all permissions, give them one by one.
Your logic will be more direct and easier to follow, this reduces confusion and potential bugs.
caution
Blitz Guard will allow everything unless you state otherwise. No rules means that everything is allowed.
if guards look similar, take some code out of them
Guard will execute the guard condition if the rule matches the ability and resource. This means that you should, whenever possible, take as much logic out of the rule's guard.
#
Can & CannotThese two methods will determine what a user can or cannot do in your application.
ability
The action that the user can perform.
Default:create, read, update, delete, manage
More informationresource
The subject of the action.
Default:all
More informationguard (optional):
It's the condition for the rule to apply, args are passed down from a wrapped mutation or query or manually when calling Guard.can
async (args) => boolean
#
ReasonsWith each rule, you can define a reason for it.
The text will be used in replacement of the AuthorizationError
message for both the authorizePipe and authorize
While using Guard.can you will receive the result, true/false and the reason.