stalniy/casl

★ 6,917TypeScriptAudience · developerComplexity · 3/5Setup · moderate

Mindmap

mindmap
  root((CASL))
    Core concept
      Ability rules
      Actions on resources
    Integrations
      React
      Angular and Vue
      Mongoose
      Prisma
    Features
      Field-level rules
      Serializable rules
      TypeScript support
    Use cases
      Role-based access
      Ownership checks

mindmap root((CASL)) Core concept Ability rules Actions on resources Integrations React Angular and Vue Mongoose Prisma Features Field-level rules Serializable rules TypeScript support Use cases Role-based access Ownership checks

Click or tap to explore — scroll the page freely

Things people build with this

USE CASE 1

Define role-based access rules once and enforce them in both your React frontend and Node.js API without duplicating logic in two places

USE CASE 2

Restrict users to editing only their own posts by writing a conditional CASL rule that checks resource ownership

USE CASE 3

Serialize permission rules from the server and send them to the browser so the UI hides buttons the user cannot access

USE CASE 4

Integrate CASL with Prisma or Mongoose to automatically scope database queries to what the current user is allowed to see

Tech stack

TypeScriptJavaScriptAngularReactVueMongoosePrisma

Getting it running

Difficulty · moderate Time to first run · 30min

Requires wiring ability definitions into both client and server, each framework has its own integration package to configure.

In plain English

CASL (pronounced like "castle") is a JavaScript and TypeScript library for managing authorization in web applications. Authorization is the process of deciding what a logged-in user is actually allowed to do: can this person read a post, edit it, or delete it? CASL provides a structured way to define and check those rules so the same logic can be applied consistently across a browser interface, a back-end API, and database queries. The library works around the concept of abilities: a collection of rules describing what actions a user can perform on which resources. A rule can be as broad as "any user can read blog posts" or as specific as "a user can only delete their own posts if the post was created in the last 24 hours." Rules can also target specific fields on a resource, not just the resource type as a whole. CASL is designed to work in both browser and server environments without changes. It has official integration packages for major JavaScript frameworks: Angular, React, Vue, and Aurelia on the front end, and Mongoose and Prisma on the back end. The core package is small, around 6 kilobytes compressed, and the structure lets you include only the parts your project needs. Rules can be serialized, meaning converted to plain data and sent from a server to a browser, so the front end enforces the same permissions as the API without duplicating the logic in two places. The library is written in TypeScript, giving you type-checking throughout. It was inspired by a Ruby authorization library called CanCan. Documentation, examples, and a community support channel are available through the project's GitHub discussions and the links in the README.

Copy-paste prompts

Prompt 1

Using CASL in a React app with a Node.js backend, show me how to define ability rules on the server and send them to the browser so the frontend enforces the same permissions without duplicating logic.

Prompt 2

I want users in my app to only delete posts they created in the last 24 hours. How do I write that conditional rule in CASL using TypeScript?

Prompt 3

How do I integrate CASL with Prisma so that database queries are automatically filtered based on what the current user is permitted to read?

Prompt 4

Show me how to check user permissions in a React component using CASL's Can component for both reading and editing a resource.

Open on GitHub → Explain another repo

← stalniy on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.