Reputation: 1
Access control in LoopBack
I am building an events management web app for my clients based on StrongLoop API platform whereby I need to limit CRUD access to data to the currently logged in user (a client).
I have followed these tutorials https://github.com/strongloop/loopback-faq-user-management, https://github.com/strongloop/loopback-example-access-control to successfully login and logout, and now need to implement bringing back the correct data on the AngularJS client.
I have setup a relation on my 'events' model as follows:
"relations": {
"user": {
"type": "belongsTo",
"model": "User",
"foreignKey": "ownerId"
}
}
and also on the built-in User model:
"relations": {
"events": {
"type": "hasMany",
"model": "event",
"foreignKey": "ownerId"
}
}
Not sure where/how to define the access token after login to make API calls. Do I also need to apply a filter on $scope.events = Event.find(); to retrieve only the records where ownerID: <currentUserId> or should the ACLs achieve that for me?
Any help much appreciated.
Upvotes: 0
Views: 808
Answers (1)
Reputation: 2290
1) Access token automatically saved to localStorage/sessionStorage and to angular-sdk internals. So it attached to authorization header on every request to API.
2) Yes, you should apply filter, because ACL just allow or deny access to remote methods. By the way, another way to query user's events is
User.events({id: currentUserId})
Upvotes: 0
Related Questions
- Loopback 4 authentication using a db
- Strongloop/loopback: how to disable authentication for User model over REST?
- Angular2 - Loopback -Security Implementations
- Loopback - Angular2 adding accessToken to requests
- Loopback ACL "Authorization Required"
- How to restrict access to pages when using Angular and Strongloop?
- Loopback - Implementing custom authentication
- Strongloop loopback how to assign static roles to new users
- Constantly getting 401 errors in loopback while using User Model
- Loopback angular 401 Authorization Required