I am working on a music application, with genres & subgenres. We use loopback for the backend, and angularJS for the frontend with cordova & ionic.
I cannot manage to authorize via ACL a request that looks like Genre/:id/Subgenre, for which I have a proprety automatically made via lb-service.js : Genre.subGenre()
The relation's type is "hasAndBelongsToMany" for both models Genre & Sub-genres.
Here is my angular controller that I use in the frontend to do the API request :
$scope.genres = [];
Genre.find().$promise.then(function(res) { //this request works : goes to GET /Genres endpoint
$scope.genres = res;
$scope.genres.forEach(function(genre) {
genre.checked=false;
genre.subgenres = [];
Genre.subGenres({id: genre.id}).$promise.then(function(r){ //it is this one that doesn't work, GET /Genres/:id/SubGenre endpoint
genre.subgenres = r;
genre.subgenres.forEach(function(s){
s.checked=false;
});
});
});
});
here is the code in lb-service.js that provide the Genre.subGenre() property:
// INTERNAL. Use SubGenre.genres() instead.
"prototype$__get__genres": {
isArray: true,
url: urlBase + "/SubGenres/:id/genres",
method: "GET"
},
and here is the code in the genre model to authorize the acces to the API for the Genre.subGenre() property :
"acls": [
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "DENY"
},
{
"accessType": "EXECUTE",
"principalType": "ROLE",
"principalId": "$authenticated",
"permission": "ALLOW",
"property": "subGenres" // this is to authorize Genre.subGenre(), doesn't works => 401 error.
},
{
"accessType": "EXECUTE",
"principalType": "ROLE",
"principalId": "$authenticated",
"permission": "ALLOW",
"property": "find" // this is to authorize Genre.find(), it works
}
It looks like it is the property that is not correct, because when I do the same thing to authorize the Genre.find() request, it works.
Thank you a lot for your help.
Actually I figured out that I just needed to change in the ACL :
"accessType": "EXECUTE"
into
'"accessType": "READ"