Can I use CASL?

Can I use CASL in Redwood to implement ability-based access control rather then role based?

About CASL

Hi, I think you can do what you want with RedwoodJs. you can make your own role-based implementation with CASL.
I read in tutorial that they are working on Redwood’s Authorization system and i’ve worked with CASL too and i loved it ! it would be great if something CASL-style appeared for RedwoodJs in the future

1 Like

Hi @mlshv and welcome!

I had not heard of CASL, so thanks for bringing that to my attention.

It reminds me of CanCan which I often used to define permissions in Rails apps some time ago.

Redwood makes a slight distinction between roles and permissions – and has implemented in pre 1.0 just roles name since some of the current AuthProviders support settings those roles in their JWT (Auth0 and Netlify Identity). Other providers don’t and thus one has to roll :wink: your own roles.

In Auth0, users have roles and roles have permissions: https://auth0.com/docs/authorization/rbac/roles/add-permissions-to-roles

But currently, permissions are not checked.

That said, there is nothing that prevents you from using the permission/ability as a role. You might have to concatenate the permission:model on the web side and then also in auth.js write your own logic check in requireAuth() … but should be doable.

Have a look at the RBAC Cookbook for some examples of how to implement custom role checks – and might be able to adapt to permissions.

If so, a write up or addition to the cookbook would be most welcome! … and RW can use it to design permission support in the +v1.

1 Like