Skip to content

refactor: casl factory - datablocks #2774

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
HayenNico wants to merge 2 commits into
base: refactor-casl-factory-cleanup
Choose a base branch
from
Open

refactor: casl factory - datablocks #2774

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d4b1f1d
refactor datablocks casl & controller
HayenNico Jun 3, 2026
6fce9bf
fix security gaps in datablocks controller
HayenNico Jun 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
96 changes: 96 additions & 0 deletions src/casl/abilities/datablocks.ability.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
import {
AbilityBuilder,
ExtractSubjectType,
MongoAbility,
createMongoAbility,
} from "@casl/ability";
import { Injectable } from "@nestjs/common";
import { ConfigService } from "@nestjs/config";
import { AccessGroupsType } from "src/config/configuration";
import { Action } from "../action.enum";
import {
Subjects,
PossibleAbilities,
Conditions,
} from "../types/casl-subjects";
import { JWTUser } from "src/auth/interfaces/jwt-user.interface";
import { Datablock } from "src/datablocks/schemas/datablock.schema";

@Injectable()
export class DatablockAbility {
constructor(private configService: ConfigService) {
this.accessGroups =
this.configService.get<AccessGroupsType>("accessGroups");
}
private accessGroups;

buildAbility(user: JWTUser): MongoAbility<PossibleAbilities, Conditions> {
const { can, build } = new AbilityBuilder(
createMongoAbility<PossibleAbilities, Conditions>,
);
const ifPublished = { isPublished: true };

/**
* Unauthenticated user
*/
can(Action.DatablockRead, Datablock, ifPublished);
Comment thread
sourcery-ai[bot] marked this conversation as resolved.

if (!user) {
return build({
detectSubjectType: (item) =>
item.constructor as ExtractSubjectType<Subjects>,
});
}

const ifOwner = { ownerGroup: { $in: user.currentGroups } };
const ifAccess = { accessGroups: { $in: user.currentGroups } };

/**
* Authenticated user
*/
can(Action.DatablockRead, Datablock, ifOwner);
can(Action.DatablockRead, Datablock, ifAccess);
can(Action.DatablockRead, Datablock, ifPublished);

can(Action.DatablockUpdate, Datablock, ifOwner);
Comment thread
sourcery-ai[bot] marked this conversation as resolved.

if (
user.currentGroups.some(
(g) =>
this.accessGroups?.createDatasetPrivileged.includes(g) ||
this.accessGroups?.createDatasetWithPid.includes(g) ||
this.accessGroups?.createDataset.includes(g),
Comment thread
sourcery-ai[bot] marked this conversation as resolved.
)
) {
/**
* User belonging to CREATE_DATASET_PRIVILEGED_GROUPS,
* CREATE_DATASET_WITH_PID_GROUPS or CREATE_DATASET_GROUPS
*/
can(Action.DatablockCreate, Datablock);
can(Action.DatablockUpdate, Datablock);
}

if (user.currentGroups.some((g) => this.accessGroups?.admin.includes(g))) {
/**
* User belonging to ADMIN_GROUPS
*/
can(Action.DatablockCreate, Datablock);
can(Action.DatablockRead, Datablock);
can(Action.DatablockUpdate, Datablock);
}

if (user.currentGroups.some((g) => this.accessGroups?.delete.includes(g))) {
/**
* User belonging to DELETE_GROUPS
*/
can(Action.DatablockRead, Datablock);
can(Action.DatablockUpdate, Datablock);
can(Action.DatablockDelete, Datablock);
}

return build({
detectSubjectType: (item) =>
item.constructor as ExtractSubjectType<Subjects>,
});
}
}
22 changes: 6 additions & 16 deletions src/casl/action.enum.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,12 @@ export enum Action {
// Currently used by addAccessBasedFilters for admin/special group users
AccessAny = "access_any",

// Datablock
DatablockCreate = "datablock_create",
DatablockRead = "datablock_read",
DatablockUpdate = "datablock_update",
DatablockDelete = "datablock_delete",

// ---------------
// Datasets
// endpoint authorization actions
Expand Down Expand Up @@ -105,22 +111,6 @@ export enum Action {
OrigdatablockDeleteOwner = "origdatablock_delete_owner",
OrigdatablockDeleteAny = "origdatablock_delete_any",

// -------------
// Datablock
// endpoint authorization actions
DatablockCreateEndpoint = "datablock_create_endpoint",
DatablockReadEndpoint = "datablock_read_endpoint",
DatablockUpdateEndpoint = "datablock_update_endpoint",
DatablockDeleteEndpoint = "datablock_delete_endpoint",
// individual actions
DatablockCreateInstance = "datablock_create_instance",
DatablockReadInstance = "datablock_read_instance",
DatablockUpdateInstance = "datablock_update_instance",
// admin actions
DatablockReadAny = "datablock_read_any",
DatablockUpdateAny = "datablock_update_any",
DatablockDeleteAny = "datablock_delete_any",

// Proposals
// endpoint authorization actions
ProposalsCreate = "proposals_create",
Expand Down
93 changes: 7 additions & 86 deletions src/casl/casl-ability.factory.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ import { JobConfigService } from "src/config/job-config/jobconfig.service";
import { JWTUser } from "src/auth/interfaces/jwt-user.interface";
import { AccessGroupsType } from "src/config/configuration";
import { Attachment } from "src/attachments/schemas/attachment.schema";
import { Datablock } from "src/datablocks/schemas/datablock.schema";
import { DatasetClass } from "src/datasets/schemas/dataset.schema";
import { Instrument } from "src/instruments/schemas/instrument.schema";
import { JobClass } from "src/jobs/schemas/job.schema";
Expand All @@ -29,6 +28,7 @@ import { SampleClass } from "src/samples/schemas/sample.schema";
import { User } from "src/users/schemas/user.schema";
import { Action } from "./action.enum";
import { Subjects, PossibleAbilities, Conditions } from "./types/casl-subjects";
import { DatablockAbility } from "./abilities/datablocks.ability";

export type AppAbility = MongoAbility<PossibleAbilities, Conditions>;

Expand All @@ -37,6 +37,7 @@ export class CaslAbilityFactory {
constructor(
private configService: ConfigService,
private jobConfigService: JobConfigService,
private datablockAbility: DatablockAbility,
) {
this.accessGroups =
this.configService.get<AccessGroupsType>("accessGroups");
Expand All @@ -47,7 +48,7 @@ export class CaslAbilityFactory {
[endpoint: string]: (user: JWTUser) => AppAbility;
} = {
attachments: this.attachmentEndpointAccess,
datablocks: this.datablockEndpointAccess,
datablocks: this.datablockAccess,
datasets: this.datasetEndpointAccess,
history: this.historyEndpointAccess,
instruments: this.instrumentEndpointAccess,
Expand All @@ -74,6 +75,10 @@ export class CaslAbilityFactory {
return accessFunction.call(this, user);
}

datablockAccess(user: JWTUser) {
return this.datablockAbility.buildAbility(user);
}

datasetEndpointAccess(user: JWTUser) {
const { can, cannot, build } = new AbilityBuilder(
createMongoAbility<PossibleAbilities, Conditions>,
Expand Down Expand Up @@ -883,34 +888,6 @@ export class CaslAbilityFactory {
});
}

datablockEndpointAccess(user: JWTUser) {
const { can, cannot, build } = new AbilityBuilder(
createMongoAbility<PossibleAbilities, Conditions>,
);
if (user) {
can(Action.DatablockCreateEndpoint, Datablock);
can(Action.DatablockReadEndpoint, Datablock);
can(Action.DatablockUpdateEndpoint, Datablock);

if (
user.currentGroups.some((g) => this.accessGroups?.delete.includes(g))
) {
can(Action.DatablockDeleteEndpoint, Datablock);
} else {
cannot(Action.DatablockDeleteEndpoint, Datablock);
}
} else {
cannot(Action.DatablockCreateEndpoint, Datablock);
cannot(Action.DatablockReadEndpoint, Datablock);
cannot(Action.DatablockUpdateEndpoint, Datablock);
cannot(Action.DatablockDeleteEndpoint, Datablock);
}

return build({
detectSubjectType: (item) =>
item.constructor as ExtractSubjectType<Subjects>,
});
}
runtimeConfigEndpointAccess(user: JWTUser) {
const { can, build } = new AbilityBuilder(
createMongoAbility<PossibleAbilities, Conditions>,
Expand Down Expand Up @@ -2379,62 +2356,6 @@ export class CaslAbilityFactory {
});
}

datablockInstanceAccess(user: JWTUser) {
const { can, build } = new AbilityBuilder(
createMongoAbility<PossibleAbilities, Conditions>,
);
if (user) {
// Can read if user is in ownerGroup/accessGroup or if published
can(Action.DatablockReadInstance, Datablock, {
ownerGroup: { $in: user.currentGroups },
});
can(Action.DatablockReadInstance, Datablock, {
accessGroups: { $in: user.currentGroups },
});
can(Action.DatablockReadInstance, Datablock, { isPublished: true });

// Can update if in ownerGroup
can(Action.DatablockUpdateInstance, Datablock, {
accessGroups: { $in: user.currentGroups },
});

// Ingestor group is allowed to create/update
if (
user.currentGroups.some((g) =>
this.accessGroups?.createDataset.includes(g),
) ||
user.currentGroups.some((g) =>
this.accessGroups?.createDatasetPrivileged.includes(g),
) ||
user.currentGroups.some((g) =>
this.accessGroups?.createDatasetWithPid.includes(g),
)
) {
can(Action.DatablockCreateInstance, Datablock);
can(Action.DatablockUpdateAny, Datablock);
}

if (
user.currentGroups.some((g) => this.accessGroups?.delete.includes(g))
) {
can(Action.DatablockReadAny, Datablock);
can(Action.DatablockUpdateAny, Datablock);
can(Action.DatablockDeleteAny, Datablock);
}
if (
user.currentGroups.some((g) => this.accessGroups?.admin.includes(g))
) {
can(Action.DatablockCreateInstance, Datablock);
can(Action.DatablockReadAny, Datablock);
can(Action.DatablockUpdateAny, Datablock);
}
}
return build({
detectSubjectType: (item) =>
item.constructor as ExtractSubjectType<Subjects>,
});
}

metadataKeyInstanceAccess(user: JWTUser) {
const { can, build } = new AbilityBuilder(
createMongoAbility<PossibleAbilities, Conditions>,
Expand Down
4 changes: 3 additions & 1 deletion src/casl/casl.module.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,11 @@ import { Module } from "@nestjs/common";
import { ConfigModule } from "@nestjs/config";
import { CaslAbilityFactory } from "./casl-ability.factory";
import { JobConfigModule } from "src/config/job-config/jobconfig.module";
import { DatablockAbility } from "./abilities/datablocks.ability";

@Module({
imports: [JobConfigModule, ConfigModule],
providers: [CaslAbilityFactory],
providers: [CaslAbilityFactory, DatablockAbility],
exports: [CaslAbilityFactory],
})
export class CaslModule {}
Loading