I have defined a CASL rule for a User subject, with a condition to allow read access only to users belonging to a specific Org. Here is my implementation:
function defineAbilityFor(user) {
const { can } = new AbilityBuilder();
can("read", "User", { orgId: user.orgId });
return build();
}
The rule works as expected when I check permissions for a specific user object:
defineAbilityFor({ orgId: "123" }).can("read", subject("User", { orgId: "123" })); // true
However, this also returns true:
defineAbilityFor({ orgId: "123" }).can("read", "User"); // true
I don’t understand why the second example returns true since I expected it to only allow read access when the orgId matches. Could someone explain why this is happening? A reference to the relevant documentation would be helpful.
Additionally, how can I modify my defineAbilityFor
function to ensure that only the first example returns true and the second returns false?