Skip to content
CFast CFast

checkPermissions

checkPermissions(role, permissions, descriptors): PermissionCheckResult

Defined in: packages/permissions/src/check.ts:71

Checks whether a role satisfies a set of permission descriptors.

This is the low-level structural checking function. It determines whether a role has any matching grant for each descriptor (action + table), without evaluating row-level where clauses. Row-level enforcement happens at execution time in @cfast/db.

Parameters

Section titled “Parameters”

role

Section titled “role”

string

The role to check (e.g., "user", "admin").

permissions

Section titled “permissions”

Permissions

The permissions object from definePermissions.

descriptors

Section titled “descriptors”

PermissionDescriptor[]

Array of permission descriptors to check against.

Returns

Section titled “Returns”

PermissionCheckResult

A PermissionCheckResult with permitted, denied, and reasons.

Example

Section titled “Example”
import { checkPermissions, definePermissions, grant } from "@cfast/permissions";


const permissions = definePermissions({
  roles: ["user", "admin"] as const,
  grants: {
    user: [grant("read", posts), grant("create", posts)],
    admin: [grant("manage", "all")],
  },
});


const result = checkPermissions("user", permissions, [
  { action: "update", table: posts },
]);
result.permitted; // false
result.denied;    // [{ action: "update", table: posts }]