Reputation: 1631
loopback.io model, acl principalId, $owner
I need to limit data access in a model only to the loopback user that created it.
I saw this in the docs:
http://loopback.io/doc/en/lb2/Model-definition-JSON-file.html#acls
$owner - Owner of the object
Does that mean the logged in user who created that object?
When a model runs create, is loopback.io storing the user id of the current logged in user inside it's own ACL?
Or will I need to do something like this, which is to create new properties on my model with relations to the user model:
Upvotes: 1
Views: 1011
Answers (1)
Reputation: 1631
Got it:
http://loopback.io/doc/en/lb2/Defining-and-using-roles.html#dynamic-roles
To qualify a $owner, the target model needs to have a belongsTo relation to the User model (or a model extends from User) and property matching the foreign key of the target model instance. The check for $owner is only performed for a remote method that has ‘:id’ on the path, for example, GET /api/users/:id.
Upvotes: 1
Related Questions
- loopback ACL for user model
- Need Help Understanding ACL in Loopback
- Loopback: Multiple owners for a model with belongsTo relation
- Loopback ACL "Authorization Required"
- Loopback acl and ownerid
- ACL troubles with loopback.io
- Loopback postgresql relation "public.acl"
- LoopBack user-specific data filtering/access
- Loopback - $owner role with a "hasMany" relation
- How to use Loopback ACL modify permissions on the user role