So I have a venue model with the following rellationship:
relations": {
"events": {
"type": "hasMany",
"model": "event"
},
},
In the events I have the relationship as:
"relations": {
"venue": {
"type": "belongsTo",
"model": "venue",
"foreignKey": "venueId",
"options": {
"validate": true,
"forceId": false
}
}
},
In the explorer it shows me that I can get, put, post, patch, update and delete to venue/:id/events
Where and how do I say: no matter who you are, this specific relationship can ONLY have GET access and nothing else?
For hasMany Loopback adds the following methods:
__findById__events
__destroyById__events
__updateById__events
__get__events
__create__events
__delete__events
__count__events
Since you only want get access we keep findById, get and count, and disable the rest.
Assuming you are using Loopback 3, you can do this in your model:
Message.disableRemoteMethodByName('prototype.__destroyById__events');
Message.disableRemoteMethodByName('prototype.__updateById__events');
Message.disableRemoteMethodByName('prototype.__create__events');
Message.disableRemoteMethodByName('prototype.__delete__events');
Have a look at the documentation for the more info.
If you are using Loopback 2 you should do this instead(initally written by Kiley Hykawy):
Message.disableRemoteMethodByName('__destroyById__events', false);
Message.disableRemoteMethodByName('__updateById__events', false);
Message.disableRemoteMethodByName('__create__events', false);
Message.disableRemoteMethodByName('__delete__events', false);
false is needed to indicate that it is a non-static method, like prototype for LoopBack 3.