Skip to Content
API Reference

API Reference

This section provides a detailed reference of the Asgardian API, including all available functions, their parameters, and usage examples.

Core Functions

createAbility

Creates a new ability instance for defining and checking permissions.

Type Definition

function createAbility< ExtendedActions extends string = 'manage' | 'create' | 'read' | 'update' | 'delete', ExtendedResources extends string = 'all' >(): CreateAbility<ExtendedActions, ExtendedResources>

Generic Parameters

  • ExtendedActions: Custom action types to extend the default actions
  • ExtendedResources: Custom resource types to extend the default resources

Returns

Returns an object with methods for defining and checking permissions.

Examples

// Basic usage const ability = createAbility() // With custom actions const ability = createAbility<'publish' | 'archive'>() // With custom resources const ability = createAbility<never, 'Post' | 'Comment'>() // With both custom actions and resources const ability = createAbility<'publish' | 'archive', 'Post' | 'Comment'>()

Permission Methods

can

Defines rules allowing specific actions on resources.

Type Definition
can( action: Action<ExtendedActions> | Action<ExtendedActions>[], resource: Resource<ExtendedResources>, conditions?: Condition ): CreateAbility<ExtendedActions, ExtendedResources> & { reason: (message: string) => CreateAbility<ExtendedActions, ExtendedResources> }
Parameters
  • action: Single action or array of actions to allow
  • resource: The resource the actions apply to
  • conditions: Optional conditions that must be met for the permission to apply
Examples
// Single action ability.can('read', 'Post') // Multiple actions ability.can(['create', 'update'], 'Post') // With reason ability.can('delete', 'Post').reason('You can delete this post') // With conditions ability.can('read', 'Post', { published: true }).reason('Can only read published posts') // Chaining ability .can('read', 'Post') .can('create', 'Comment') .can('update', 'Comment', { authorId: 123 }) .reason('Can only update own comments')

cannot

Defines rules explicitly denying specific actions on resources.

Type Definition
cannot( action: Action<ExtendedActions>, resource: Resource<ExtendedResources>, conditions?: Condition ): CreateAbility<ExtendedActions, ExtendedResources> & { reason: (message: string) => CreateAbility<ExtendedActions, ExtendedResources> }
Parameters
  • action: Action to deny
  • resource: The resource the action applies to
  • conditions: Optional conditions for when the denial applies
Examples
// Single action ability.cannot('delete', 'Post') // Multiple actions ability.cannot(['create', 'delete'], 'Post') // With reason ability.cannot('delete', 'Post').reason('Deletion not allowed for security') // With conditions ability.cannot('update', 'Post', { archived: true }) // Chaining ability .cannot('read', 'Post') .cannot('create', 'Post') .cannot('update', 'Post', { authorId: 456 }) .reason('Can only delete own posts')

isAllowed

Checks if an action is allowed on a resource.

Type Definition
isAllowed( action: Action<ExtendedActions> | Action<ExtendedActions>[], resource: Resource<ExtendedResources>, conditions?: Condition ): boolean
Parameters
  • action: Single action or array of actions to check
  • resource: The resource to check against
  • conditions: Optional conditions to evaluate
Examples
// Basic check ability.isAllowed('read', 'Post') // true/false // Check multiple actions ability.isAllowed(['read', 'update'], 'Post') // true/false // With conditions ability.isAllowed('read', 'Post', { published: true }) // true/false

notAllowed

Inverse of isAllowed. Checks if an action is not allowed on a resource.

Type Definition
notAllowed( action: Action<ExtendedActions> | Action<ExtendedActions>[], resource: Resource<ExtendedResources>, conditions?: Condition ): boolean
Parameters
  • action: Single action or array of actions to check
  • resource: The resource to check against
  • conditions: Optional conditions to evaluate
Examples
// Basic check ability.notAllowed('delete', 'Post') // true/false // With conditions ability.notAllowed('update', 'Post', { archived: true }) // true/false

getReason

Retrieves the reason why an action was denied on a resource.

Type Definition
getReason( action: Action<ExtendedActions> | Action<ExtendedActions>[], resource: Resource<ExtendedResources>, conditions?: Condition ): string | undefined
Parameters
  • action: Single action or array of actions to check
  • resource: The resource to check against
  • conditions: Optional conditions to evaluate
Examples
// Set up rules with reasons ability .cannot('delete', 'Post').reason('Deletion not allowed') .cannot('update', 'Post', { archived: true }).reason('Cannot update archived posts') // Get reasons const deleteReason = ability.getReason('delete', 'Post') // Returns: "Deletion not allowed" const updateReason = ability.getReason('update', 'Post', { archived: true }) // Returns: "Cannot update archived posts" const unknownReason = ability.getReason('create', 'Post') // Returns: undefined

throwIfNotAllowed

Throws a ForbiddenError if an action is not allowed on a resource.

Type Definition
throwIfNotAllowed( action: Action<ExtendedActions> | Action<ExtendedActions>[], resource: Resource<ExtendedResources>, conditions?: Condition ): void
Parameters
  • action: Single action or array of actions to check
  • resource: The resource to check against
  • conditions: Optional conditions to evaluate
Examples
// Set up rules ability.cannot('delete', 'Post').reason('Deletion forbidden') // This will throw try { ability.throwIfNotAllowed('delete', 'Post') } catch (error) { if (error instanceof ForbiddenError) { console.error(error.message) // "Deletion forbidden" } } // This won't throw if allowed ability.can('read', 'Post') ability.throwIfNotAllowed('read', 'Post') // No error

Special Values

Default Actions

  • manage: Grants all permissions
  • create: Allows creation
  • read: Allows reading
  • update: Allows updates
  • delete: Allows deletion

Special Resources

  • all: Matches any resource

Rule Resolution

  1. Rules are evaluated in order of definition
  2. More specific rules take precedence over general rules
  3. Multiple matching rules are combined with OR logic
  4. cannot rules take precedence over can rules
  5. Conditions must be fully satisfied for a rule to match
  6. The most recent matching rule’s reason is returned by getReason()

Type Definitions

type Action<T extends string = never> = | 'manage' | 'create' | 'read' | 'update' | 'delete' | T type Resource<T extends string = never> = 'all' | T type Condition = Record<PropertyKey, unknown> type Rule<A extends string, R extends string> = { action: Action<A> | Action<A>[] resource: Resource<R> inverted?: boolean conditions?: Condition reason?: string }
💡
Tip

See the Operators guide for advanced condition handling using built-in operators.

Last updated on