Authorization
Authorization is a key aspect of security and user experience in web applications. Whether you are building a complex enterprise-level application or a simple CRUD interface, Refine's authorization system provides the necessary infrastructure to protect your resources and ensure that users interact with your application in a secure and controlled manner.
Refine's flexible architecture allows you to easily implement various authorization strategies:
- Role-Based Access Control (RBAC)
- Attribute-Based Access Control (ABAC)
- Access Control List (ACL)
With any authorization solution. (i.e. Okta, Casbin, Cerbos, or more)
Refine offers several features to help you implement authorization in your application:
<CanAccess />
component: Conditionally renders child components based on the user's access to a resource.useCan
hook: Returns a value indicating whether the user has access to a resource based on the given parameters.- UI Integrations: Conditionally renders UI elements such as buttons, menu items, etc. based on the user's access to a resource.
In order to enable these features, Refine uses the Access Control Provider as an interface to connect your application with your authorization solution and provides necessary parameters to make access control decisions.
Access Control Provider
The Access Control Provider is an object that contains a can
method. This method is called by Refine to understand if the user can see a certain resource or perform an action.
A basic Access Control Provider looks like this:
import { AccessControlProvider } from "@refinedev/core";
export const accessControlProvider: AccessControlProvider = {
can: async ({ resource, action, params }) => {
console.log(resource); // products, orders, etc.
console.log(action); // list, edit, delete, etc.
console.log(params); // { id: 1 }, { id: 2 }, etc.
if (meetSomeCondition) {
return { can: true };
}
return {
can: false,
reason: "Unauthorized",
};
},
};
And can be passed to <Refine />
component's accessControlProvider
prop:
import { Refine } from "@refinedev/core";
import { accessControlProvider } from "./access-control-provider";
export const App = () => {
return (
<Refine
accessControlProvider={accessControlProvider}
>
{/* ... */}
</Refine>
);
};
To learn more about the Access Control Provider
, check out the reference page.
CanAccess Component
The CanAccess
component can be used to wrap your pages or components to hide them from unauthorized users.
It calls Access Control Provider's can
method and conditionally renders its children based on the result.
Here's a basic example of how to use the CanAccess
component:
import { CanAccess } from "@refinedev/core";
export const ListPage = () => {
return (
<CanAccess
resource="products"
action="list"
fallback={<h1>You are not authorized to see this page.</h1>}
>
<>
<h1>Products</h1>
<CanAccess resource="products" action="show" params={{ id: 1 }}>
<Button>See Details</Button>
</CanAccess>
</>
</CanAccess>
);
};
To learn more about the CanAccess
component, check out the reference page.
Router Integrations
Refine's router integrations can infer resource
, action
, and params.id
props from the current route and pass them to the <CanAccess />
component.
This means you can wrap all of your routes with a single <CanAccess />
component, instead of wrapping each page individually.
See React Router, Next.js, Remix integration pages for more information.
useCan Hook
The useCan
hook can be used to check if the user has access to a resource or action.
It calls Access Control Provider's can
method and returns a value indicating whether the user has access to the resource or action.
Here's a basic example of how to use the useCan
hook:
import { useCan } from "@refinedev/core";
export const ListPage = () => {
const { data } = useCan({
resource: "products",
action: "show",
params: { id: 1 },
});
return (
<>
<h1>Products</h1>
{data?.can && <Button>See Details</Button>}
</>
);
};
To learn more about the useCan
hook, check out the reference page.
Handling Authorization
Code Example
Dependencies: @refinedev/core@latest,@refinedev/simple-rest@latest,@refinedev/react-router@latest,react-router@^7.0.2
Content: import React from "react"; import { Refine } from "@refinedev/core"; import routerProvider from "@refinedev/react-router"; import dataProvider from "@refinedev/simple-rest"; import { BrowserRouter, Route, Routes } from "react-router"; import "./style.css"; import { accessControlProvider } from "./access-control.ts"; import { PaymentShow } from "./show.tsx"; export default function App() { return ( <BrowserRouter> <Refine accessControlProvider={accessControlProvider} routerProvider={routerProvider} dataProvider={dataProvider("https://api.fake-rest.refine.dev")} resources={[ { name: "payments", show: "/payments/:id", }, ]} > <Routes> <Route path="/payments/:id" element={<PaymentShow />} /> </Routes> </Refine> </BrowserRouter> ); }
Content: html { margin: 0; padding: 0; } body { margin: 0; padding: 12px; } * { box-sizing: border-box; } body { font-family: sans-serif; } form label, form input, form button { display: block; width: 100%; margin-bottom: 6px; } span + button { margin-left: 6px; } ul > li { margin-bottom: 6px; }
Content: import { AccessControlProvider } from "@refinedev/core"; const role = "editor"; // Uncomment this line and refresh to see difference. // const role = "admin"; export const accessControlProvider: AccessControlProvider = { can: async ({ action, resource, params }) => { console.log(action, resource, params); if ( role === "admin" && ["field", "refund", "approve"].includes(action) ) { return { can: true, }; } return { can: false, reason: "Unauthorized", }; }, };
Content: import { CanAccess, useCan } from "@refinedev/core"; export const PaymentShow: React.FC = () => { const { data } = useCan({ resource: "payments", action: "refund", params: { id: 1 }, }); return ( <> <h1>Payment Details</h1> <p> <b>ID</b>: <span>1</span> </p> <p> <b>Amount</b>: <span>$100</span> </p> <p> <b>Transaction ID</b>: <span> <CanAccess resource="payments" action="field" params={{ field: "transactionId" }} fallback={<>This field is only visible to admin users.</>} > <span>123456789</span> </CanAccess> </span> </p> <button disabled={!data?.can}> {data?.can ? "Refund" : data?.reason} </button> </> ); };
UI Integrations
When Access Control Provider is provided, Refine's UI Integrations automatically manages the visibility of their components like buttons and menu items, simplifying the management of UI.
These UI Integrations uses the Access Control Provider to check if a user has the necessary permissions. This check is performed without requiring manual implementation for each component, streamlining the development process.
Sider
Sider component's menu items will automatically hidden if user don't have access.
Let's assume we have products resource.
Menu item of this resource will call can
method with following parameters:
{ resource: "products", action: "list" }
And if user isn't allowed to list
products, menu item will be hidden.
Buttons
If you are using one of our buttons from our UI Integrations in your application, you don't need to wrap it with <CanAccess />
or use useCan
every time. These buttons will automatically be shown or hidden.
// Following buttons call `can` method with commented parameters.
import {
CreateButton, // { resource: "products", action: "create", params: { resource }}
ListButton, // { resource: "products", action: "list" , params: { resource }}
EditButton, // { resource: "products", action: "edit", params: { id: 1, resource } }
ShowButton, // { resource: "products", action: "show", params: { id: 1, resource } }
DeleteButton, // { resource: "products", action: "delete", params: { id: 1, resource } }
CloneButton, // { resource: "products", action: "clone", params: { id: 1, resource } }
} from "@refinedev/antd"; // or @refinedev/chakra-ui, @refinedev/mui, @refinedev/mantine