Search code examples
javascriptnode.jsrestloopbackjs

Can I disable `includes` filter feature in loopbackjs API?

I have several questions related to IBM loopback.js framework (node.js)

Questions

1) Has loopback js ability to restrict use include filters in api for specific models and roles?

2) Can I restrict possibility to get not related items for current user by include api in loopback js?

3) Maybe someone knows exist module for that or middleware? For mw it's need from security perspective. For now in some cases user can get sensitive data using dictionaries API.

Examples

For example: I have USER entity with ROLE admin and USER entity with ROLE editor. They have related own projects and access to them. I want restrict for editor possibility to use GET ?filter=include:[projects] and allow admin use it. How can I do it?

For example: I have two USER entities with ROLE editor. They have related own projects and access to them. They can't have access to projects of each other. Users can get list of users by GET api/users and it is ok, because it's dictionary. But when user call GET api/users?filter=include:[projects], any user have access to projects of other users. How I Can I restrict or disable this feature?

Solution

  • Has loopback js ability to restrict use include filters in api for specific models and roles?

    You can disable inclusion of related models on a per-relation basis. For example, the built-in relation User has many AccessToken instances disables inclusion of access tokens when querying users. Cross-posting a configuration example from our docs:

    {
  "name": "CustomUser",
  "base": "User",
  // ...
  "relations": {
    "accessTokens": {
      "type": "hasMany",
      "model": "AccessToken",
      "foreignKey": "userId",
      "options": {
        "disableInclude": true // <<< THIS IS THE CONFIG FLAG TO SET
      }
    }
  },
  // ...
}

    AFAIK, there is not built-in API for disabling include filters for specific roles.

    It may be possible to implement this feature using beforeRemote hook and/or the operation hook access. The idea is to implement a hook that will check the role of the current user and modify the filter argument to remove forbidden inclusions.

    Another option that comes to my mind: disable inclusion of related models at the relation level for all users. Provide a custom implementation of the find function that will fetch the related models manually and only when the authorized user has the permissions to do so:

    1. Disable the built-in find method, see Disabling a remote method
    2. Provide your own remote method that's exposed at GET /api/users, see How to add a remote method to a model

    Can I restrict possibility to get not related items for current user by include api in loopback js?

    AFAIK, LoopBack permissions don't work at filter.include level.