Restrict which HTTP methods on a loopback model relationship

Question

So I have a venue model with the following rellationship:

relations": {
  "events": {
    "type": "hasMany",
    "model": "event"
  },
},

In the events I have the relationship as:

"relations": {
    "venue": {
      "type": "belongsTo",
      "model": "venue",
      "foreignKey": "venueId",
      "options": {
        "validate": true,
        "forceId": false
      }
    }
  },

In the explorer it shows me that I can get, put, post, patch, update and delete to venue/:id/events

Where and how do I say: no matter who you are, this specific relationship can ONLY have GET access and nothing else?

Answer 1

For hasMany Loopback adds the following methods:

__findById__events
__destroyById__events
__updateById__events
__get__events
__create__events
__delete__events
__count__events

Since you only want get access we keep findById, get and count, and disable the rest.

Assuming you are using Loopback 3, you can do this in your model:

Message.disableRemoteMethodByName('prototype.__destroyById__events');
Message.disableRemoteMethodByName('prototype.__updateById__events');
Message.disableRemoteMethodByName('prototype.__create__events');
Message.disableRemoteMethodByName('prototype.__delete__events');

Have a look at the documentation for the more info.

If you are using Loopback 2 you should do this instead(initally written by Kiley Hykawy):

Message.disableRemoteMethodByName('__destroyById__events', false);
Message.disableRemoteMethodByName('__updateById__events', false);
Message.disableRemoteMethodByName('__create__events', false);
Message.disableRemoteMethodByName('__delete__events', false); 

false is needed to indicate that it is a non-static method, like prototype for LoopBack 3.