Recommended ACLs for Installation Model
Closed this issue · 6 comments
nullEuro commented
I have a question regarding the correct usage of the installation model. The clients must be able to read and modify none but "their own" installation (the one it has the deviceToken
of (?)). I cannot use the $owner
role here because there is no relation to User
.
Any thoughts?
raymondfeng commented
A few options:
- Add a beforeRemote hook to patch the filter object
- Add a
belongsTo
relation toInstallation
. You should be able to do so using a boot script. - Submit a PR so that we can add
belongsTo
relations toInstallation
.
nullEuro commented
Could you elaborate on the first one please?
raymondfeng commented
MyModel.beforeRemote('find', function(ctx, inst, next) {
var filter = ctx.args[0];
// Patch filter here
...
next();
});
nullEuro commented
For anyone interested in the result: https://gist.github.com/nullEuro/6ea7c6c1de7206a44fd3
Feel free to criticize.
raymondfeng commented
This is great. We should try to generalize the solution. such as:
Allowing the request to contain variables, for example:
{
where: {
userId: {{ctx.user.id}}
}
}
superkhau commented
Closing this as there is nothing left to resolve here.