Search code examples
javascriptnode.jsforeign-keysaclloopback

Looback: configure acl and relations to list all objects belonging to logged used

I'm trying to setup a loopback project and I'm running into a basic issue that I can't figure out.

So I've got basically a custom user model defined with the following relations and acls:

"relations": {
   ...
    "projects": {
      "type": "hasMany",
      "model": "project",
      "foreignKey": "userId"
    }
}
"acls": [
    {
      "accessType": "*",
      "principalType": "ROLE",
      "principalId": "$everyone",
      "permission": "DENY"
    },
    {
      "accessType": "READ",
      "principalType": "ROLE",
      "principalId": "$owner",
      "permission": "ALLOW"
    }
]

And a 'project' model defined with properties:

"relations": {
    "user": {
      "type": "belongsTo",
      "model": "user",
      "foreignKey": "userId"
    }
},
"acls": [
    {
      "accessType": "*",
      "principalType": "ROLE",
      "principalId": "$everyone",
      "permission": "DENY"
    },
    {
      "accessType": "*",
      "principalType": "ROLE",
      "principalId": "$owner",
      "permission": "ALLOW"
    },
    {
      "accessType": "EXECUTE",
      "principalType": "ROLE",
      "principalId": "$authenticated",
      "permission": "ALLOW",
      "property": "create"
    }
]

First of all, to my surprise, when submitting a POST /projects while logged in, I was expecting the foreign key to be automagically put in the object but it looks like this has to be done manually. I suppose this is normal, I guess I was expecting too much from the framework.

That being said, I have been struggling to be able to list all the projects owned by the logged user. Performing a GET /projects/{id} with {id} being an object belonging to the logged user works. And when {id} points to an object NOT owned by the logged in user, I get, as expected, a 401.

But then, I was expecting that running /projects would return all the projects owned by the logged user but instead throws a 401 to my face.

What am I missing? Is my ACL setup wrong? Am I using the wrong method? I tried putting a filter like '{"where":{"userId":"myId"}}' but had no luck. I also tried the other endpoint /user/myId/projects with no better luck.

Thanks

Solution

  • So I guess I was just getting loopback wrong, GET /projects was not the correct call but instead GET /users/{userId}/projects. ACL and relations seem to be correctly set.