sivashanmugam kannan sivashanmugam kannan - 17 days ago 5
JSON Question

Apply Access restriction to properties inside a model in loopback [Strongloop]

I have model named employee and it's properties are

"name":"",
"dob":"",
"location":""


some of the default roles which are in the loopback frameworks are

$authenticated
$everyone


I wanted to

1.Allow
$authenticated
Roles on accessing the model employee[READ and WRITE].

2.Allow
$everyone
Role only to [READ] the model properties except location property [location is only allowed to read by ROLE $authenticated]. ,

I added the below config in the employee.json, But did't work.

{
"accessType": "READ",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW"
},
{
"accessType": "READ",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "DENY",
"property": "location"
}


Searched a lot, Could not able find the code.

Answer

The below code will code work under my scenario, But it's not perfect, It's is kind of a work around, There are Methodologies called mixins which will do those tasks i guess. As my question is not answered i am giving solution. Use it at your own risk.

Employee.afterRemote('**', function(ctx, result, next) {
        if(ctx.result) {
            if(Array.isArray(ctx.result)) {
              ctx.result.forEach(function (result) {
                var  is_logged_in = ctx.req.accessToken;
                if(is_logged_in == null){
                    console.log('1');
                    result.unsetAttribute('location')
                }
              });
            } else {
              ctx.result.unsetAttribute('location')
            }
          }

          next();
    });