I am new to loopback. I am trying to learn & implement ACL.
I have one "PersistedModel" named 'Page'. I am using two different models as 'Employee' and 'Customer', both based on built-in 'User' model.
Relation: A page belongs to an 'Employee' as well as a 'Customer'. Both should be owners for a page. Customer & Employee both has many Pages. So, I have added following in relations:
"customer": {
"type": "belongsTo",
"model": "Customer",
"foreignKey": "customerId"
},
"employee": {
"type": "belongsTo",
"model": "Employee",
"foreignKey": "employeeId"
}
ACL: I want 'WRITE' permission only for owners. So, I have added following in acls:
{
"accessType": "WRITE",
"principalType": "ROLE",
"principalId": "$owner",
"permission": "ALLOW"
}
When I try a patch request, owner customer's request gets executed successfully. But, owner employee's request gets 'Authorization error'.
What am I doing wrong here?
LoopBack documentation is updated recently and they have added these two lines in a notice: (http://loopback.io/doc/en/lb3/Using-built-in-models.html#user-model)
LoopBack does not support multiple models based on the User model in a single application. That is, you cannot have more than one model derived from the built-in User model in a single app.
So basically, I should not have created two different models those are based on 'User' model. :(