Reputation: 47
How to use Loopback ACL model/table?
I'm trying to setup access control for my rest API. Loopback provides a great starting point for handling access based on user/role/principals.
But what if I want anything more than provided, e.g. multiple owners for a model instance? Would adding entries to the ACL table be enough? Or should I create a new role/resolver, and if so, can/should I reuse the existing ACL model/table or roll my own?
Loopback is awesome, but documentation lacks depth, ending you up reading the source code.
Upvotes: 1
Views: 348
Answers (1)
Reputation: 30430
Well in this particular case I suggest creating a custom role resolver.
Something like this:
Role.registerResolver('$inOwners', function (role, ctx, callback) {
ctx.model.count({
id: ctx.modelId,
// This only works for mongo db...
owners: ctx.accessToken.userId
}, function(err, count) {
if (err) {
callback(err);
} else if (count) {
callback();
} else {
callback(new Error('Not Owner'));
}
});
});
And then you can either add this to the acls(Either in the models static acls, in the json file, or add it to the ACL table):
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$inOwners",
"permission": "ALLOW",
"property": "*",
"model": "*"
}
Do remember, that whenever the access to a loopback method depends on what's inside a document/row then you can only use role resolvers to define ACL for it, else you have to make your own ACL system.
Upvotes: 2
Related Questions
- loopback ACL for user model
- Need Help Understanding ACL in Loopback
- Loopback - Model's ACL list to looup in database and not in its json file
- Loopback protect nested relations
- using Access Control Lists in Loopback for restricting access to table records
- ACL troubles with loopback.io
- Loopback postgresql relation "public.acl"
- StrongLoop: ACL for Subtable
- LoopBack user-specific data filtering/access
- loopback How to use ACL REST API? And where does it use?