CASL is an isomorphic authorization JavaScript library which restricts what resources a given user is allowed to access


CASL (pronounced /ˈkæsəl/, like castle) is an isomorphic authorization JavaScript library which restricts what resources a given user is allowed to access. All permissions are defined in a single location (the Ability class) and not duplicated across UI components, API services, and database queries.

Heavily inspired by cancan.


  • supports MongoDB like conditions ($eq$ne$in$all$gt$lt$gte$lte$exists$regex, field dot notation)
  • supports direct and inverted rules (i.e., can & cannot)
  • provides ES6 build, so you are able to shake out unused functionality
  • provides easy integration with popular frontend frameworks
  • provides easy integration with mongoose and MongoDB
  • serializable rules which can be stored or cached in JWT token or any other storage

Getting started

CASL can be used together with any data layer, any HTTP framework and even any frontend framework because of its isomorphic nature. Also, it doesn’t force you to choose a database (however currently is the best integrated with MongoDB). See the examples for details.

CASL concentrates all attention at what a user can actually do and allows to create abilities in DSL style. Lets see how

1. Define Abilities

Lets define Ability for a blog website where visitors:

  • can read everything.
  • can manage (i.e., create, update, delete, read) posts which were created by them
  • cannot delete post if it has at least 1 comment
import { AbilityBuilder } from '@casl/ability'

const ability = AbilityBuilder.define((can, cannot) => {
  can('read', 'all')
  can('manage', 'Post', { author: })
  cannot('delete', 'Post', { 'comments.0': { $exists: true } })

Yes, you can use some operators from MongoDB query language to define conditions for your abilities. See Defining Abilitiesfor details. It’s also possible to store CASL abilities in a database.

2. Check Abilities

Later on you can check abilities by using can and cannot.

class Post {
  constructor(props) {
    Object.assign(this, props)

// true if ability allows to read at least one Post
ability.can('read', 'Post')

// true if ability does not allow to read a post
const post = new Post({ title: 'What is CASL?' })
ability.cannot('read', post)

See Check Abilities for details.

3. MongoDB integration

CASL has a complementary package @casl/mongoose which provides easy integration with MongoDB database. That package provides mongoose middleware which hides all boilerplate under convenient accessibleBy method.

const { AbilityBuilder } = require('@casl/ability')
const { accessibleRecordsPlugin } = require('@casl/mongoose')
const mongoose = require('mongoose')


const ability = AbilityBuilder.define(can => {
  can('read', 'Post', { author: 'me' })

const Post = mongoose.model('Post', mongoose.Schema({
  title: String,
  author: String,
  content: String,
  createdAt: Date

// by default it asks for `read` rules
// returns mongoose Query, so you can chain it with other conditions
Post.accessibleBy(ability).where({ createdAt: { $gt: - 24 * 3600 } })

// also you can call it on existing query to enforce visibility.
// In this case it returns empty array because rules does not allow to read Posts of `someoneelse` author
Post.find({ author: 'someoneelse' }).accessibleBy(ability).exec()

See Database integration for details.

Subscribe to the Newsletter

Get our latest news,tutorials,guides,tips & deals delivered to your inbox.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.