Skip to content

Feature Request: Add Support for Field-Level Permissions in CASL with @casl/mongoose Integration #561

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
yonashalefom opened this issue May 22, 2025 · 2 comments
Open

Feature Request: Add Support for Field-Level Permissions in CASL with @casl/mongoose Integration #561

yonashalefom opened this issue May 22, 2025 · 2 comments

Comments

@yonashalefom
Copy link

yonashalefom commented May 22, 2025
edited
Loading

Hi 👋 and thank you for the great work on this awesome REPO!

You are currently using CASL to manage resource-level permissions with actions and subjects (e.g., can('read', 'User')), which has been working well for controlling access to endpoints. This works great.

However, I’d love to see CASL support field-level permissions out of the box, so that we can define which specific fields of a model a user is allowed to read, update, or delete.

Why This Feature Is Needed

Field-level access control is essential for more granular security in real-world applications. For example, we might want a user to be able to read a user's name and email, but not their role or salary. Similarly, one role might be allowed to update just the email field, while another role can update both email and role.

What I'm Proposing

  • Add support for defining and enforcing field-level permissions using CASL's existing fields feature.
  • Consider adding helper methods or middleware (guards etc.) that make it easier to apply these permissions when interacting with MongoDB.
  • Integrate this capability using @casl/mongoose, so that something like accessibleBy or a similar mechanism could also project only the allowed fields from the database.
defineAbility((can) => {
  can('read', 'User', ['name', 'email']);
  can('update', 'User', ['email']);
});

// Ideally this would limit fields automatically
const users = await User.find(...).accessibleBy(ability, 'read');
// => Returns users with only `name` and `email` fields

Summary

I’d really appreciate it if ACK could support this level of granularity. I believe many developers would benefit from field-level control, especially in data-sensitive applications. If this sounds like something you’re open to, I'd be happy to help however I can, testing, feedback, or even contributing.

Thanks again for your amazing work 🙏
@andrechristikan
Copy link
Owner

hi @yonashalefom

great feature request!
we have class-transformer/class-validator, but they only handle static field control.
casl field-level would provide dynamic, role-based permissions with database optimization that we currently lack

this would definitely add significant value to the boilerplate, especially for data-sensitive applications.

maybe would you be interested in contributing this feature?
i suggest starting with the @casl/mongoose integration first to get the foundation working, then we can build the field-level permissions on top of it.

thanks for the thoughtful suggestion! 🚀

@yonashalefom
Copy link
Author

Awesome, thanks! I'll be happy to contribute. I’ll start with @casl/mongoose and build from there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yonashalefom @andrechristikan