I have an loopback app where each customer can have it's own services. Therefore I would need customer to be able only to see, add, edit and delete only it's own services. But no matter what I do, it seems that the customer can either see all services from all users, or no one can see no one's service.
The service model
"relations": {
"customer": {
"type": "belongsTo",
"model": "customer",
"foreignKey": "customerId"
}
}
And the alc as I've see it:
"acls": [
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "DENY"
},
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$owner",
"permission": "ALLOW"
}
]
But if it's like this owner of the service and only /GET/{id} it's service, but it cannot /GET all services?!?
If I use this:
"acls": [
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "DENY"
},
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$authenticated",
"permission": "ALLOW"
}
]
I've got what I need but this is a mayor security leak since each customer can get ALL services from all other customers.
You need to add property customerId in your service model and the $owner acl works only if the :id segment exists in the api url.
If your urls does not have any :id you can create your custom role resolver.