After reading the guides and searching google for some time, I couldn't find a way in CASL to solve my usecase.
Expected
- A common user can only patch his appointments.
- A common user can only patch
appointment.statusfrom 'created' to 'cancelled'(not other values, like 'kept').
(status field may have one of these values: 'created', 'cancelled', 'kept', 'broken'... But some values like 'kept, broken' can be updated only by users with special role, eg 'supervisor', not by a common user.)
My Code
// define rules
async function defineAbilitiesFor(user) {
if(user) {
can('patch', 'appointments', { user_id: user.id, status: 'created' });
// No where to define rule for limit status to be patched
}
}
// test rules
const appointment = {..., user_id:1, status:'created' };
const toPatch = { status: 'cancelled' };
ability.can('patch', appointment); // No where to check `toPatch` data
$in does not suit my situation
can('patch', 'appointments', { user_id: user.id, status: {$in: ['created','cancelled'] });
can not solve two issues:
- A common user can still update appointment to other status, eg 'broken'; (because an appointment can only be set broken by a supervisor user)
- A common user can update appointment from 'cancelled' to 'created'; (because an appointment can only be cancelled once.)