I'm using loopback and I have problems with the access control for destroyAll, even when I "explicity allow" to destroyAll related Models I always get "Authorization required". I maybe just use the wrong name of the function.
For example: I got the User-Model Human and Car
Human *hasMany* Cars && Cars *belongsTo* Human
In human.json I can configure the ACLs with these
GET Human/id/Cars --> __get__cars
POST Human/id/Cars --> __create__cars
DELETE Human/id/Cars --> **??? __destroyAll__cars** doesn't work
GET Human/id/Cars/id --> __findById__Cars
PUT Human/id/Cars/id --> __updateById__Cars
DELETE Human/id/Cars/id --> __destroyById__Cars
In the ACL it would look like:
{
"accessType": "EXECUTE",
"principalType": "ROLE",
"principalId": "$owner",
"permission": "ALLOW",
"property": "__destroyAll__cars"
}, ...
I've tried deleteAll too, doesn't work either.
I'm sorry.. Just found the solution in the minute after posting this question.
It is __delete__cars. I think I'd tried this yesterday too. Maybe I had a Typo.