Recommended ACLs for Installation Model

Question

Recommended ACLs for Installation Model

Closed this issue 8 years ago · 6 comments

I have a question regarding the correct usage of the installation model. The clients must be able to read and modify none but "their own" installation (the one it has the deviceToken of (?)). I cannot use the $owner role here because there is no relation to User.

Any thoughts?

Answer 1 · 2014-12-05T19:46:25.000Z

A few options:

Add a beforeRemote hook to patch the filter object
Add a belongsTo relation to Installation. You should be able to do so using a boot script.
Submit a PR so that we can add belongsTo relations to Installation.

Answer 2 · 2014-12-05T19:52:45.000Z

Could you elaborate on the first one please?

Answer 3 · 2014-12-05T19:55:41.000Z

MyModel.beforeRemote('find', function(ctx, inst, next) {
  var filter = ctx.args[0];
  // Patch filter here
  ...
  next();
});

Answer 4 · 2014-12-06T00:57:38.000Z

For anyone interested in the result: https://gist.github.com/nullEuro/6ea7c6c1de7206a44fd3

Feel free to criticize.

Answer 5 · 2014-12-08T16:37:57.000Z

This is great. We should try to generalize the solution. such as:

Allowing the request to contain variables, for example:

{
  where: {
    userId: {{ctx.user.id}}
  }
}

Answer 6 · 2016-05-04T19:20:07.000Z

Closing this as there is nothing left to resolve here.