You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The expected result is that if another user try to update personalInfo , it should be not allowed to do it.
The actual result is that all can update every field.
Am I doing anything wrong?
The text was updated successfully, but these errors were encountered:
The issue is that you define abilities which intersects. One says everybody can update Post another one says only owners can do that. Post.accessibleBy doesn't filter results on field basis but instead on subject basis.
Note: permittedFieldsBy is deprecated, it was renamed to accessibleFieldsBy for consistency. I didn't have time to update docs. Plan to do this in few weeks
Hello, I have the following case.
My subject Post has the following date:
The update rules are:
When I define my ability I do:
I am using this ability inside my Mongoose query :
const doc = Post.accessibleBy(ability, 'update)...
The expected result is that if another user try to update
personalInfo
, it should be not allowed to do it.The actual result is that all can update every field.
Am I doing anything wrong?
The text was updated successfully, but these errors were encountered: