{"id":13487592,"url":"https://github.com/eggjs/egg-cancan","last_synced_at":"2026-01-23T18:16:18.766Z","repository":{"id":17579015,"uuid":"135277790","full_name":"eggjs/egg-cancan","owner":"eggjs","description":"cancancan like authorization plugin for Egg.js","archived":false,"fork":false,"pushed_at":"2022-01-25T15:30:38.000Z","size":85,"stargazers_count":47,"open_issues_count":1,"forks_count":4,"subscribers_count":13,"default_branch":"master","last_synced_at":"2025-10-08T00:33:38.179Z","etag":null,"topics":["cancan","cancancan","egg","egg-plugin","eggjs","roles"],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/eggjs.png","metadata":{"files":{"readme":"README.md","changelog":"History.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-05-29T10:09:22.000Z","updated_at":"2024-07-14T08:40:43.000Z","dependencies_parsed_at":"2022-08-07T08:16:06.237Z","dependency_job_id":null,"html_url":"https://github.com/eggjs/egg-cancan","commit_stats":null,"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/eggjs/egg-cancan","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eggjs%2Fegg-cancan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eggjs%2Fegg-cancan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eggjs%2Fegg-cancan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eggjs%2Fegg-cancan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/eggjs","download_url":"https://codeload.github.com/eggjs/egg-cancan/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eggjs%2Fegg-cancan/sbom","scorecard":{"id":368714,"data":{"date":"2025-08-11","repo":{"name":"github.com/eggjs/egg-cancan","commit":"5a21f2f20dff4b0707d3e74c69d80e032a5b8f9b"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.6,"checks":[{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":0,"reason":"Found 1/30 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/nodejs.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":3,"reason":"dependency not pinned by hash detected -- score normalized to 3","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nodejs.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/eggjs/egg-cancan/nodejs.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nodejs.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/eggjs/egg-cancan/nodejs.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/nodejs.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/eggjs/egg-cancan/nodejs.yml/master?enable=pin","Warn: npmCommand not pinned by hash: .github/workflows/nodejs.yml:39","Info:   0 out of   2 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 third-party GitHubAction dependencies pinned","Info:   1 out of   2 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 3 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-18T12:29:04.371Z","repository_id":17579015,"created_at":"2025-08-18T12:29:04.371Z","updated_at":"2025-08-18T12:29:04.371Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28697428,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-23T17:25:48.045Z","status":"ssl_error","status_checked_at":"2026-01-23T17:25:47.153Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cancan","cancancan","egg","egg-plugin","eggjs","roles"],"created_at":"2024-07-31T18:01:00.966Z","updated_at":"2026-01-23T18:16:18.736Z","avatar_url":"https://github.com/eggjs.png","language":"JavaScript","funding_links":[],"categories":["仓库"],"sub_categories":["插件"],"readme":"# egg-cancan\n\n[Cancancan](https://github.com/CanCanCommunity/cancancan) like authorization plugin for Egg.js\n\n\u003e This plugin is our best practice from we developing [yuque.com](https://yuque.com).\n\n[![NPM version][npm-image]][npm-url]\n[![build status][travis-image]][travis-url]\n[![Test coverage][codecov-image]][codecov-url]\n[![David deps][david-image]][david-url]\n[![Known Vulnerabilities][snyk-image]][snyk-url]\n[![npm download][download-image]][download-url]\n\n[npm-image]: https://img.shields.io/npm/v/egg-cancan.svg\n[npm-url]: https://npmjs.org/package/egg-cancan\n[travis-image]: https://img.shields.io/travis/eggjs/egg-cancan.svg\n[travis-url]: https://travis-ci.org/eggjs/egg-cancan\n[codecov-image]: https://img.shields.io/codecov/c/github/eggjs/egg-cancan.svg\n[codecov-url]: https://codecov.io/github/eggjs/egg-cancan?branch=master\n[david-image]: https://img.shields.io/david/eggjs/egg-cancan.svg\n[david-url]: https://david-dm.org/eggjs/egg-cancan\n[snyk-image]: https://snyk.io/test/npm/egg-cancan/badge.svg\n[snyk-url]: https://snyk.io/test/npm/egg-cancan\n[download-image]: https://img.shields.io/npm/dm/egg-cancan.svg\n[download-url]: https://npmjs.org/package/egg-cancan\n\n\u003c!--\nDescription here.\n--\u003e\n\n## Install\n\n```bash\n$ npm i egg-cancan --save\n```\n\n## Usage\n\n```js\n// {app_root}/config/plugin.js\nexports.cancan = {\n  enable: true,\n  package: 'egg-cancan',\n};\n```\n\n## Configuration\n\n```js\n// {app_root}/config/config.default.js\nexports.cancan = {\n// method name of current logined user instance\n  contextUserMethod: 'user',\n  // Enable disable Ability check result cache\n  cache: false,\n  // Enable log authorize check result\n  log: false,\n};\n```\n\n## Defining Abilities\n\nYou must create `app/ability.js` file\n\nThe Ability class is where all user permissions are defined. An example class looks like this.\n\n```js\n'use strict';\n\nconst { BaseAbility } = require('egg-cancan');\n\nclass Ability extends BaseAbility {\n  constructor(ctx, user) {\n    super(ctx, user)\n  }\n\n  async rules(action, obj, options = {}) {\n    const { type } = options;\n\n    if (type === 'topic') {\n      if (action === 'update') {\n        return await this.canUpdateTopic(obj);\n      }\n\n      if (action === 'delete') {\n        return await this.canDeleteTopic(obj);\n      }\n    }\n\n    return true;\n  }\n\n  async canUpdateTopic(obj) {\n    if (topic.user_id === this.user_id) return true;\n    return false;\n  }\n\n  async canDeleteTopic(obj) {\n    if (this.user.admin) return true;\n    return false;\n  }\n}\n```\n\n### Action alias\n\n| Action | Alias |\n| ------ | ----- |\n| read   | show, read |\n| update | edit, update |\n| create | new, create |\n| delete | destroy, delete |\n\n### Cache check result in same Context\n\nAbility support cache Ability check result in ctx, you can enable it by change `config/config.default.js`\n\n```js\nexports.cancan = {\n  // defalut is disabled\n  cache: true,\n};\n```\n\nWhen you enable that, you call `can` method will hit cache:\n\n```\nctx.can('read', user);\n- check cache in ability._cache\n    found -\u003e return\n  not exist -\u003e\n    execute `rules` to real check\n    write to _cache\n    return\n```\n\nIts use `action + obj + options` stringify as default cache key:\n\n```bash\nability.cacheKey('read', { id: 1 }, { type: 'user' });\n=\u003e 'read-{id:1}-{type:\"user\"}'\n```\n\nYou can rewrite it by override the `cacheKey` method, for example:\n\n```js\nclass Ability extends BaseAbility {\n  cacheKey(action, obj, options) {\n    return [action, obj.cacheKey, options.type].join(':');\n  }\n}\n```\n\n## Check Abilities\n\nThe `ctx.can` method:\n\n```js\ncan = await ctx.can('create', topic, { type: 'topic' });\ncan = await ctx.can('read', topic, { type: 'topic' });\ncan = await ctx.can('update', topic, { type: 'topic' });\ncan = await ctx.can('delete', topic, { type: 'topic' });\n\ncan = await ctx.can('update', user, { type: 'user' });\n\n// For egg-sequelize model instance, not need pass `:type` option\nconst topic = await ctx.model.Topic.findById(...);\ncan = await ctx.can('update', topic);\n```\n\nThe `ctx.authorize` method:\n\n```js\nawait ctx.authorize('read', topic);\n// when permission is ok, not happend\n// when no permission, will throw CanCanAccessDenied\n```\n\n## Handle Unauthorized Access\n\nIf the `ctx.authorize` check fails, a `CanCanAccessDenied` error will be throw. You can catch this and modify its behavior:\n\nAdd new file: `app/middleware/handle_authorize.js`\n\n```js\nmodule.exports = () =\u003e {\n  return async handleAuthorize(next) {\n    try {\n      await next();\n    } catch (e) {\n      if (e.name === 'CanCanAccessDenied') {\n        this.status = 403;\n        this.body = 'Access Denied';\n      } else {\n        throw e;\n      }\n    }\n  }\n}\n```\n\nAnd enable this middleware by modify `config/config.default.js`:\n\n```js\nexports.middleware = [\n  ...\n  'handleAuthorize',\n  ...\n];\n```\n\n## Testing your abilities\n\nWhen you wrote `app/ability.js`, you may need to write test case.\n\n- egg-sequelize\n- factory-girl-sequelize\n\nCreate a test file: `test/ability.test.js`\n\n```js\n'use strict';\n\ndescribe('Ability', () =\u003e {\n  let allow, user, ability, anonymousAbility;\n\n  beforeAll(async () =\u003e {\n    user = await create('user');\n    ability = new app.Ability(ctx, user);\n  });\n\n  describe('Topic', () =\u003e {\n    describe('Anonymous', () =\u003e {\n      it('should work', async () =\u003e {\n        const topic = await create('topic');\n        allow = await ability.can('create', topic);\n        assert.equal(true, allow);\n        allow = await ability.can('read', topic);\n        assert.equal(true, allow);\n        allow = await ability.can('update', topic);\n        assert.equal(false, allow);\n        allow = await ability.can('destroy', topic);\n        assert.equal(false, allow);\n      });\n    });\n\n    describe('Author', () =\u003e {\n      it('should work', async () =\u003e {\n        const topic = await create('topic', { user_id: user.id });\n        allow = await ability.can('create', topic);\n        assert.equal(true, allow);\n        allow = await ability.can('read', topic);\n        assert.equal(true, allow);\n        allow = await ability.can('update', topic);\n        assert.equal(true, allow);\n        allow = await ability.can('destroy', topic);\n        assert.equal(true, allow);\n      });\n    })\n  });\n});\n```\n\n## License\n\n[MIT](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feggjs%2Fegg-cancan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feggjs%2Fegg-cancan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feggjs%2Fegg-cancan/lists"}