问题
I need to limit data access in a model only to the loopback user that created it.
I saw this in the docs:
http://loopback.io/doc/en/lb2/Model-definition-JSON-file.html#acls
$owner - Owner of the object
Does that mean the logged in user who created that object?
When a model runs create, is loopback.io storing the user id of the current logged in user inside it's own ACL?
Or will I need to do something like this, which is to create new properties on my model with relations to the user model:
ACL troubles with loopback.io
回答1:
Got it:
http://loopback.io/doc/en/lb2/Defining-and-using-roles.html#dynamic-roles
To qualify a $owner, the target model needs to have a belongsTo relation to the User model (or a model extends from User) and property matching the foreign key of the target model instance. The check for $owner is only performed for a remote method that has ‘:id’ on the path, for example, GET /api/users/:id.
来源:https://stackoverflow.com/questions/39970066/loopback-io-model-acl-principalid-owner