Get denied reason in PureAbility#can and #cannot

[noftaly]

Hey there!

I'm switching my app from a home-made permission system to casl. Although it's been a rough start, I'm starting to enjoy its simplicity more and more!

Anyway I'm checking permissions in a service like so:

const ability = this.caslAbilityFactory.createForUser(user);
if (ability.cannot(Action.Update, post)) // post is an entity fetched from the DB, not the subject's base class)
    throw new ForbiddenException('Update not permitted'); // Coming from Nest.js

But I'd like to send the exact reason why it was denied (the reason specified in .because in my AbilityBuilder).
Is there any way I can get access to the reason why the action is not permitted?

I could get .relevantRuleFor and do the check myself but this feels extremely hackish...

Thanks!

EDIT: I forgot to mention, I've tried to use ForbiddenError but I'm using Nest.js so I'd like to throw one of the standard Exception class... and try/catching it every time is a bit of a hassle to. (of course I can make a util function that wraps all that and it will be solved in one line, but is there a "better" way to do it?)

[stalniy]

You can use ForbiddenError.from(ability).throwUnlessCan(...) and it will throw an instance of ForbiddenError which has message of the reason.

If this doesn’t work for you, then you need to use relevantRuleFor(...)

[noftaly]

Ok thanks, I'll go for ForbiddenError then, wrapped in a custom util function to throw an Nestjs http exception. Thank for the swift answer!