I have successfully added "Class"-level ACL's, to only allow authorized users access my model:
.../server/ModelObj.js
"acls": [
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$unauthenticated",
"permission": "DENY"
}
]
This is great, but my applications needs ACL's on a even lower level - object level.
When a User, which belongs to a Role, creates a new object, the object must only be accessible by other users, who have the same role.
Is this the way to go around the problem in Loopback, or do they provide a different way?
Thanks in advance, Jesper.
I think you may have to implement this using a custom role resolver. The idea is to create a role and a custom resolver and determine a user's access to the given model at runtime. Here's a partial example (note that you would need to create the role, and members, etc as well).
// perhaps in a boot script?
app.models.Role.registerResolver('teamMember', function(role, context, cb) {
if (context.modelName === 'ModelObj') {
context.model.findById(context.modelId, function(err, instance) {
if (err) { /* handle it... */ return cb(err); }
// check the instance for something to determine access
// execute callback with switch for access (or not)
cb(null, true);
}
}
});