I have a little doubt about how ACL works on loopback.
I'm following the sample https://github.com/strongloop/loopback-example-access-control
The REST Api allow the create call to pass the ownerid as a parameter, but doesn't make any validation.
So an authenticated user can for example create a project and set the ownerid to any value. I believe that property should only be allowed to be set by an admin Role.
I know I can put some code to do the validation.. but I believe that value must be set automatically based on the user currently logged in. I'm wrong or I'm missing something?
Thank you!
I elapsed so much time to find out this. Although it seems belongsTo and hasMany relations between built-in persistedModel and UserModel must be set ownerId automatically but it's probably a design issue.
so for achieving your aim you must set ownerId before each remote request from access token params like this:
Model.beforeRemote('create', function(context, model, next) {
var req = context.req;
req.body.ownerId = req.accessToken.userId;
next();
});
and then hiding the ownerId property from your api.
EDIT:
If you want set ownerId automatically, see this link for more details.