How can I filter Sails.js blueprint queries using a policy?

Question

I have an isAuthorized policy that returns true if the User is authorized to perform a given action against a given model and model instance.

Is there a way to apply this policy to the blueprint routes such that, for example, a GET request to file only returns the Files the current user is allowed to do a findOne on?

Similarly, could this same policy be applied to the blueprint populate results, such that only some of a User's associated Files would be returned in the populated array?

To do this currently I am overriding the find action in each controller which is less than ideal. If it could be applied using a policy without breaking blueprint routes/actions that would be awesome.

Answer 1

This is part of sails, maybe a new feature?

http://sailsjs.com/documentation/concepts/policies#?using-policies-with-blueprint-actions

{
  UserController: {
      find: ['isAuthorized', 'filterByUserId'],
      findOne: ['isAuthorized', 'filterByUserId']
  }
}

api/policies/filterByUserId.js

module.exports = function filterByUserId(req, res, next) {

    if ( req.session.user ){
        // Use existing req.options.where, or initialize it to an empty object
        req.options.where = req.options.where || {};

        // Set the default `userId`
        req.options.where.id = req.session.user.id;
    }
    //safe to do if isAuthorized policy is enforced in tandem.
    return next();
}

Answer 2

In my sails-permissions module, I override the sails.js response type so that controller only responds with models that the user is allowed to access.

See:

• override response: https://github.com/tjwebb/sails-permissions/blob/master/api/policies/PermissionPolicy.js#L58
• filter results: https://github.com/tjwebb/sails-permissions/blob/master/api/policies/PermissionPolicy.js#L86-L90