Improvement: Role not found

[ruslanguns]

By default if you have an unknown role the server throws an error:

[Nest] 12948   - 2020-05-15 17:03:24   [ExceptionsHandler] Role not found: "ASDFASDF" +325454ms
AccessControlError: Role not found: "ASDFASDF"

and returns an object like this:

{
    "statusCode": 500,
    "message": "Internal server error"
}

In my opinion ACL should just ignore this unknown role. What do you think?

[ruslanguns]

Here's another idea of improving when there's an empty array #23

[ruslanguns]

Maybe with an interceptor for serializing the roles by deleting the unknown roles from the array, what do you think? this feature maybe interested to be handled from this package instead?.

[bashleigh]

Hey @ruslanguns! Someone has already built an interceptor for this package! However I've been absolutely abysmal at keeping up to date with everything the past 2 years! #18

However getting to your original issue! I'm not sure I 100% follow! So is this a permission from the database or a permission provided to the RoleBuilder? If it was a permission provided to the RoleBuilder I would've expected an exception

[ruslanguns]

However getting to your original issue! I'm not sure I 100% follow! So is this a permission from the database or a permission provided to the RoleBuilder? If it was a permission provided to the RoleBuilder I would've expected an exception

Actually you could have the permission in the db or in memory with RB. The idea is that if you remove or suspend certain global permission or an action from your RB, you would not need to update all users affected, as the permission does not exist in memory, everything continues to work correctly.

Otherwise, as is happening right now, if any existing permission in the User that does not exist in the RB memory, either because it is misspelled or simply does not exist, the application throws an error. Ignore is better!

[bashleigh]

Ahhhh yes, sorry, misunderstood. So, if you're using typeorm you could use a subscriber to update your roleBuilder's roles but that wouldn't invoke a change when the DB is updated manually but that is to be expected. If you wanted to use Redis by all means you could! Create a redis listener in the nestjs application and update the roles when a changes has been fired!

Yea there shouldn't be an exceptionif the user has extra permissions than specified then an exception shouldn't be throw. I'll have a look to see where that's being thrown!

[bashleigh]

@ruslanguns don't suppose you've got a stack trace?

[ruslanguns]

Ahhhh yes, sorry, misunderstood. So, if you're using typeorm you could use a subscriber to update your roleBuilder's roles but that wouldn't invoke a change when the DB is updated manually but that is to be expected. If you wanted to use Redis by all means you could! Create a redis listener in the nestjs application and update the roles when a changes has been fired!

Yea there shouldn't be an exceptionif the user has extra permissions than specified then an exception shouldn't be throw. I'll have a look to see where that's being thrown!

Absolutely they are great ideas. I am doing something similar. However there is a simpler way to fix this behavior, so I appreciate your help

[ruslanguns]

@ruslanguns don't suppose you've got a stack trace?

A stack trace sounds good.

[SrSadra]

I have also this problem but I have read all the comments here and #23 and none of them helped.

this is my rbac policy :

` export const rbac_policy: RolesBuilder = new RolesBuilder();

rbac_policy.grant(Roles.User)// grant is for which role we want to set its access
.readOwn("userDetail") // users can only read their own data
.grant(Roles.Admin)
.extend(Roles.User) // Roles.User = "USER"
.createAny("word") // can create any words
.updateAny("word") // words
.deleteAny("word") // words
.readAny("word") // words
.readAny("userDetail") // read any user info
.grant(Roles.Manager) // Roles.Manager = "MANAGER"
.extend(Roles.Admin)
.updateAny("user") //
.updateAny("admin") //
.readAny("admin") // read admins info `

this is my manager.controller

` @UseGuards(jwtAuthGuard , ACGuard)
@controller("manager")
export class managerController {
constructor(private managerS : managerService){}

@UseRoles({
    possession : "any",
    action : "update",
    resource : "user"
})
@Post("promote/:email")
async promoteUser(@Param("email") email : string){
    return await this.managerS.promoteUser(email);
}

@UseRoles({
    possession: "any",
    action : "read",
    resource : "admin"
})
@Get("admins")
async getAdmins(){
    console.log("asdd");
    return await this.managerS.getAdmins();
}


@UseRoles({
    possession : "any",
    action : "update",
    resource : "admin"
})
@Post("demote/:email")
async demoteAdmin(@Param("email") email : string){
    return await this.managerS.demoteAdmin(email);
}

} `

and after trying to promote user to admin it gives me AccessControlError: Invalid role(s): [] .Can anyone help me please?