Skip to content
CFast CFast

resolveGrants

Call Signature

Section titled “Call Signature”

resolveGrants(permissions, user): Grant[]

Defined in: packages/permissions/src/resolve-grants.ts:69

Resolves and merges grants for multiple roles into a single flat array.

Looks up each role’s pre-expanded grants (from hierarchy resolution) and deduplicates them by action + subject. When multiple grants share the same action + subject:

  • If any grant has no where clause, the merged grant is unrestricted.
  • If all grants have where clauses, they are OR-merged via Drizzle’s or().

This is used when a user has multiple roles and their grants need to be combined.

Two calling styles are supported (both equivalent):

  • User object (preferred): resolveGrants(permissions, user) where user has a roles field. The function extracts roles internally.
  • Roles array (legacy): resolveGrants(permissions, roles) where roles is a string array. Still supported for backwards compatibility.

Parameters

Section titled “Parameters”

permissions

Section titled “permissions”

Permissions

The permissions object from definePermissions.

user

Section titled “user”

UserWithRoles

Returns

Section titled “Returns”

Grant[]

A deduplicated array of Grant objects with merged where clauses.

Example

Section titled “Example”
// Preferred: pass the user directly
const grants = resolveGrants(permissions, user);


// Legacy: pass roles array (still works)
const grants = resolveGrants(permissions, user.roles);

Call Signature

Section titled “Call Signature”

resolveGrants(permissions, roles): Grant[]

Defined in: packages/permissions/src/resolve-grants.ts:73

Resolves and merges grants for multiple roles into a single flat array.

Looks up each role’s pre-expanded grants (from hierarchy resolution) and deduplicates them by action + subject. When multiple grants share the same action + subject:

  • If any grant has no where clause, the merged grant is unrestricted.
  • If all grants have where clauses, they are OR-merged via Drizzle’s or().

This is used when a user has multiple roles and their grants need to be combined.

Two calling styles are supported (both equivalent):

  • User object (preferred): resolveGrants(permissions, user) where user has a roles field. The function extracts roles internally.
  • Roles array (legacy): resolveGrants(permissions, roles) where roles is a string array. Still supported for backwards compatibility.

Parameters

Section titled “Parameters”

permissions

Section titled “permissions”

Permissions

The permissions object from definePermissions.

roles

Section titled “roles”

readonly string[]

Returns

Section titled “Returns”

Grant[]

A deduplicated array of Grant objects with merged where clauses.

Example

Section titled “Example”
// Preferred: pass the user directly
const grants = resolveGrants(permissions, user);


// Legacy: pass roles array (still works)
const grants = resolveGrants(permissions, user.roles);