Reputation: 3651
sails-permissions blacklist read criteria
I have a model with a payment ID, and when I do a GET request it returns the blacklisted item
WorkOrder.create({
id: 1,
requestedDate: new Date(),
user: user[0],
product: product[0],
paid: true,
paymentID: 'abcd12'
})
When I do a simple get call to /workOrder/1
it('should not return the paymentID to the registered user', function(){
return request
.get('/workOrder/1')
.expect(200)
.then(function(res){
console.log(res.body)
return expect(res.body.paymentID).to.equal(undefined)
})
})
It returns the paymentID with the payload
{ user: 322,
product: 733,
id: 1,
requestedDate: '2016-11-06T15:04:41.174Z',
paid: true,
paymentID: 'abcd12',
createdAt: '2016-11-06T15:04:41.179Z',
updatedAt: '2016-11-06T15:04:41.179Z' }
even though in bootstrap.js I have
ok = ok.then(function(){
return PermissionService.grant({
role: 'registered',
model: 'WorkOrder',
action: 'read',
criteria: {blacklist: ['paymentID']}
})
})
and in criteria
sails> Criteria.find({}).then(function(r) {console.log(r)})
Promise {
_bitField: 0,
_fulfillmentHandler0: undefined,
_rejectionHandler0: undefined,
_promise0: undefined,
_receiver0: undefined }
sails> [
{ permission: 11953,
blacklist: [ 'paymentID' ],
createdAt: '2016-11-06T15:11:52.648Z',
updatedAt: '2016-11-06T15:11:52.648Z',
id: 46 } ]
and in permissions
sails> Permission.find({id: 11953}).populate('model').populate('role').then(function(r){console.log(r)})
Promise {
_bitField: 0,
_fulfillmentHandler0: undefined,
_rejectionHandler0: undefined,
_promise0: undefined,
_receiver0: undefined }
sails> [ { model:
{ name: 'WorkOrder',
identity: 'workorder',
attributes:
...
id: 2029 },
role:
{ name: 'registered',
active: true,
createdAt: '2016-11-06T15:11:51.522Z',
updatedAt: '2016-11-06T15:11:51.522Z',
id: 572 },
action: 'read',
relation: 'role',
createdAt: '2016-11-06T15:11:52.640Z',
updatedAt: '2016-11-06T15:11:52.642Z',
id: 11953 } ]
Upvotes: 0
Views: 97
Answers (1)
Reputation: 63
In the WorkOrder model, add this toJSON function near the end of the file (still inside the module.exports). Basically what it does is that before the model ever gets parsed into JSON, it removes the paymentID
// Remove the password when sending data to JSON
toJSON: function() {
var obj = this.toObject();
delete obj.paymentID;
return obj;
},
This link to the Sails Docs explains the concept in further detail along with more examples.
Upvotes: 1
Related Questions
- Sails Js permissions
- How can I filter Sails.js blueprint queries using a policy?
- sails policies not working
- Sails js policies not working
- sails-permissions getting all permissions
- Criteria permission with sails-permissions
- Sailsjs policies not taking effect
- Allow specific hosts to access sails js
- sails.js data access restriction per model
- Sailsjs policies