The best solution for control access to models in strongLoop

问题

I'm new in StrongLoop. I have 2 models(CustomUser and Item). I want any CustomUser has access to his Items. I don't want use default APIs exposed by StrongLoop because i don't want CustomUsers able to define filter with these APIs. I define my RemoteMethod that returns items based on a internal filter. My question: Should i check current user and return his related items or can i use ACL in StrongLoop for this matter? If the ACL is correct answer, where should i insert my RemoteMethod(CustomUser model or Item model) and how to define correct settings for use of ACL?

回答1:

Yes,it's possible. Loopback is very flexible.

Of course, you asked 2 different question.

1. How to disable apply 'where' filter in api.
2. How CustomUser can access to just his items.

---

For the first question, you can use loopback hooks and set where filters based on whatever you want.in this way, you don't compel to write new remote method.

Item.json:

Item.observe('access', function limitToTenant(ctx, next) {
 ...
 ctx.query.where.tenantId = loopback.getCurrentContext().tenantId;
...
 next();
});

---

And for next question you must use some acls and relations for your two models like this:

First, disable to access all remote methods in Item.json model.

"acls": [
 {
  "accessType": "*",
  "principalType": "ROLE",
  "principalId": "$everyone",
  "permission": "DENY"
 }
]

next in CustomUser.json model define which methods of Item model can be used:

"acls": [
    {
    "principalType": "ROLE",
    "principalId": "$owner",
    "permission": "ALLOW",
    "property": "__create__items"
    },
    {
    "principalType": "ROLE",
    "principalId": "$owner",
    "permission": "ALLOW",
    "property": "__get__items"
    },
    {
    "principalType": "ROLE",
    "principalId": "$owner",
    "permission": "ALLOW",
    "property": "__count__items"
    }
    ...
]

next, define a relation between CustomUser and Item model.

in Item.json

"relations": {
    "customUser": {
    "type": "belongsTo",
    "model": "CustomUser",
    "foreignKey": "ownerId"
    }
}

in CustomUser.json:

"relations": {
    "items": {
    "type": "hasMany",
    "model": "Item",
    "foreignKey": "ownerId"
    }    
}

Then create new user and login with received accessToken and keep userId for next steps.

Now if you want to post new Item you can use this api.

POST (items data) : api/CustomUser/{userId}/items/

And to get his items you can use:

GET : api/CustomUser/{userId}/items/

In this way ownerId will be saved automatically in Item model and each other users can't access his Items.

回答2:

As per the loopback documentation each method has to be disabled separately.

var isStatic = true;
CustomUser.disableRemoteMethod('deleteById', isStatic);

But remote methods can be called even if it is disabled.

ACLs are required only if you intend to perform any authorisation control.

来源：https://stackoverflow.com/questions/36529000/the-best-solution-for-control-access-to-models-in-strongloop