FuZzBall FuZzBall - 2 months ago 26
Node.js Question

Loopback acl and ownerid

I have a little doubt about how ACL works on loopback.

I'm following the sample https://github.com/strongloop/loopback-example-access-control

The REST Api allow the create call to pass the ownerid as a parameter, but doesn't make any validation.

So an authenticated user can for example create a project and set the ownerid to any value. I believe that property should only be allowed to be set by an admin Role.

I know I can put some code to do the validation.. but I believe that value must be set automatically based on the user currently logged in. I'm wrong or I'm missing something?

Thank you!

Answer

I elapsed so much time to find out this. Although it seems belongsTo and hasMany relations between built-in persistedModel and UserModel must be set ownerId automatically but it's probably a design issue.

so for achieving your aim you must to set ownerId before each remote request from access token params like this:

Model.beforeRemote('create', function(context, model, next) {
    var req = context.req;
    req.body.ownerId = req.accessToken.userId;
    next();
});

and then hiding the ownerId property from your api.

EDIT:


If you want set ownerId automatically, see this link for more details.