12th of 25 Questions.

How do you implement ABAC with CASL in a NestJS application?

Create an AbilityFactory service that builds a CASL ability for the current user based on their roles and attributes. Build a PoliciesGuard that reads policy handlers from route metadata via @CheckPolicies() and evaluates each against the user's ability. Policy handlers are functions that call ability.can() on specific actions and subjects.

AbilityFactory, PoliciesGuard, and @CheckPolicies() decorator

CASL ABAC implementation notes:

AbilityFactory is REQUEST-scoped if abilities depend on database state — singleton if based only on JWT claims.
can('update', 'Article', { authorId: user.id }) — conditional rule using subject field matching.
subject('Article', articleInstance) — wraps a plain object so CASL can match field conditions against it.
policies.every() — all policies must pass; use policies.some() for OR semantics.
Combine PoliciesGuard with JwtAuthGuard — run auth first so req.user is always available.

Question Loading...

12th of 25 Questions.

How do you implement ABAC with CASL in a NestJS application?

AbilityFactory, PoliciesGuard, and @CheckPolicies() decorator

CASL ABAC implementation notes:

AbilityFactory is REQUEST-scoped if abilities depend on database state — singleton if based only on JWT claims.
can('update', 'Article', { authorId: user.id }) — conditional rule using subject field matching.
subject('Article', articleInstance) — wraps a plain object so CASL can match field conditions against it.
policies.every() — all policies must pass; use policies.some() for OR semantics.
Combine PoliciesGuard with JwtAuthGuard — run auth first so req.user is always available.