Loopback: Hide put and delete endpoints for related models
Hi,
I have MyUser that extends built-in User. I am trying to disable all /myusers/accessTokens endpoints, but I can't disable PUT and DELETE.
Here's my code (in MyUser.js):
MyUser.disableRemoteMethod('__get__accessTokens', false);
MyUser.disableRemoteMethod('__create__accessTokens', false);
MyUser.disableRemoteMethod('__find__accessTokens', false);
MyUser.disableRemoteMethod('__count__accessTokens', false);
MyUser.disableRemoteMethod('__findById__accessTokens', false);
MyUser.disableRemoteMethod('__upsert__accessTokens', false);
MyUser.disableRemoteMethod('__delete__accessTokens', false);
all were hidden but the two mentioned.
What is the correct way to hide them?
diasalvatore
All 18 comments
Ok, I've found the name (I'm still wondering if there is a better way to hide everything):
MyUser.disableRemoteMethod('__destroyById__accessTokens', false); // DELETE
MyUser.disableRemoteMethod('__updateById__accessTokens', false); // PUT
Please close.
PS: maybe there is a mistake in the doc: http://docs.strongloop.com/display/public/LB/Exposing+models+over+REST#ExposingmodelsoverREST-Hidingendpointsforrelatedmodels . Example suggests to use: __delete__.
diasalvatore
on 20 Nov 2014
OK, I clarified in docs.
crandmck
on 26 Feb 2015
This is still a pretty horrible approach. Is there no better way? My model has relations to other models, and they show up also. Do I actually have to explicitly "disableRemoteMethod" on each and every known endpoint? There sure has to be a way to only allow access to a model through another models relations?
Example:
I want to be able to access messages through conversation, but not the other way around:
conversations/messages :+1:
messages/ should be hidden entirely
kennethlynne
on 28 May 2015
Does anyone have a complete list of method names for user model?
Here is what I came up with after one hour looking at the source code:
MyUser.disableRemoteMethod("create", true);
MyUser.disableRemoteMethod("update", true);
MyUser.disableRemoteMethod("updateById", true);
MyUser.disableRemoteMethod("updateAll", true);
MyUser.disableRemoteMethod("find", true);
MyUser.disableRemoteMethod("findById", true);
MyUser.disableRemoteMethod("findOne", true);
MyUser.disableRemoteMethod("deleteById", true);
MyUser.disableRemoteMethod("destroyById", true);
MyUser.disableRemoteMethod("removeById", true);
MyUser.disableRemoteMethod("confirm", true);
MyUser.disableRemoteMethod("count", true);
MyUser.disableRemoteMethod("exists", true);
MyUser.disableRemoteMethod("resetPassword", true);
MyUser.disableRemoteMethod('__count__accessTokens', true);
MyUser.disableRemoteMethod('__create__accessTokens', true);
MyUser.disableRemoteMethod('__findById__accessTokens', true);
MyUser.disableRemoteMethod('__deleteById__accessTokens', true);
MyUser.disableRemoteMethod('__destroyById__accessTokens', true);
MyUser.disableRemoteMethod('__removeById__accessTokens', true);
MyUser.disableRemoteMethod('__deleteAll__accessTokens', true);
MyUser.disableRemoteMethod('__destroyAll__accessTokens', true);
MyUser.disableRemoteMethod('__removeAll__accessTokens', true);
MyUser.disableRemoteMethod('__updateById__accessTokens', true);
Few methods were removed, but I still have the methods below displayed on explorer:
DELETE /MyUsers/{id}/accessTokens
DELETE /MyUsers/{id}/accessTokens/{fk}
GET /MyUsers/{id}/accessTokens
GET /MyUsers/{id}/accessTokens/count
GET /MyUsers/{id}/accessTokens/{fk}
POST /MyUsers/login
POST /MyUsers/logout
POST /MyUsers/{id}/accessTokens
PUT /MyUsers
PUT /MyUsers/{id}
PUT /MyUsers/{id}/accessTokens/{fk}
How could I disable everything but login and logout?
jfoliveira
on 15 Jun 2015
@raymondfeng Do you have a suggestion here?
crandmck
on 17 Jun 2015
The complete list is available via http://localhost:3000/explorer/resources/users. See the list of nicknames.
raymondfeng
on 17 Jun 2015
Thanks @crandmck and @raymondfeng !
Here is the code that allowed me to disable all /users methods except login and logout:
MyUser.disableRemoteMethod("create", true);
MyUser.disableRemoteMethod("upsert", true);
MyUser.disableRemoteMethod("updateAll", true);
MyUser.disableRemoteMethod("updateAttributes", false);
MyUser.disableRemoteMethod("find", true);
MyUser.disableRemoteMethod("findById", true);
MyUser.disableRemoteMethod("findOne", true);
MyUser.disableRemoteMethod("deleteById", true);
MyUser.disableRemoteMethod("confirm", true);
MyUser.disableRemoteMethod("count", true);
MyUser.disableRemoteMethod("exists", true);
MyUser.disableRemoteMethod("resetPassword", true);
MyUser.disableRemoteMethod('__count__accessTokens', false);
MyUser.disableRemoteMethod('__create__accessTokens', false);
MyUser.disableRemoteMethod('__delete__accessTokens', false);
MyUser.disableRemoteMethod('__destroyById__accessTokens', false);
MyUser.disableRemoteMethod('__findById__accessTokens', false);
MyUser.disableRemoteMethod('__get__accessTokens', false);
MyUser.disableRemoteMethod('__updateById__accessTokens', false);
I tried to make a new BaseModel deriving from PersistentModel and added this code inside.
However, new models deriving from BaseModel still have the endpoints exposed, why is that?
sinedied
on 30 Oct 2015
Maybe whitelisting endpoints using ACL solves the problem for you?
kennethlynne
on 30 Oct 2015
This may be a solution, but do not want to use ACL for now I do not manage users.
Anyway, I'm more interested in understanding why models deriving from my base model did not inherit its behavior than finding a workaround ;)
sinedied
on 30 Oct 2015
in Stroonloop 3.0:
"loopback": "^3.4.0",
"loopback-component-explorer": "^4.1.1"
loopback deprecated Model.disableRemoteMethod is deprecated. Use Model.disableRemoteMethodByName instead.
but it seems that it doenst work properly with related methods
the following works:
model.disableRemoteMethod('__count__accessTokens', false);
model.disableRemoteMethod('__create__accessTokens', false);
model.disableRemoteMethod('__delete__accessTokens', false);
model.disableRemoteMethod('__destroyById__accessTokens', false);
model.disableRemoteMethod('__findById__accessTokens', false);
model.disableRemoteMethod('__get__accessTokens', false);
model.disableRemoteMethod('__updateById__accessTokens', false);
the following doenst work at all:
````
model.disableRemoteMethodByName('__count__accessTokens');
model.disableRemoteMethodByName('__create__accessTokens');
model.disableRemoteMethodByName('__delete__accessTokens');
model.disableRemoteMethodByName('__destroyById__accessTokens');
model.disableRemoteMethodByName('__findById__accessTokens');
model.disableRemoteMethodByName('__get__accessTokens');
model.disableRemoteMethodByName('__updateById__accessTokens');
````
Please @raymondfeng reopen this issue.
Thanks for your product :+1:
mercuriete
on 9 Mar 2017
in loopback 3 use the prototype. prefix when it comes to disable methods attached on prototype:
model.disableRemoteMethodByName('prototype.__count__accessTokens');
ebarault
on 9 Mar 2017
@ebarault Thank you so much.
this is a nice product and a nice community.
thanks :+1:
mercuriete
on 14 Mar 2017
welcome @mercuriete !
ebarault
on 14 Mar 2017
Could you please open the issue again?
I have tried all the above solutions and documentation here also but none of them work for me. I am wondering if there are any new changes in loopback API?
Thanks.
zenzjtech
on 7 Jun 2017
I have seen this work with Loopback 3.0
model.disableRemoteMethodByName('deleteById', true);
sw8fbar
on 14 Feb 2018
I am still facing this issue.
I just began with loopback and created a very simple app with two models only: customer and club.
I created a hasAndBelongToMany relation between these models.
i see that i have got the below end point in the explorer:
POST /customers/{id}/clubs
But I don't want to expose the create method for club from within customer.
I tried to use the below methods inside customer.js as explained in the loopback documentation, but it still keeps showing the above end point (POST /customers/{id}/clubs) in explorer.
- Customer.disableRemoteMethod('__create__club',true);
- Customer.disableRemoteMethod('prototype.__create__club',true);
- Customer.disableRemoteMethodByName('__create__club');
- Customer.disableRemoteMethodByName('prototype.__create__club');
Is this a bug or am i doing something incorrectly here ? I would really appreciate any help or pointers.
customer.josn --
{
"name": "customer",
"base": "PersistedModel",
"idInjection": true,
"options": {
"validateUpsert": true
},
"properties": {
"name": {
"type": "string",
"required": true
}
},
"validations": [],
"relations": {
"clubs": {
"type": "hasAndBelongsToMany",
"model": "club",
"foreignKey": "clubId",
"options": {
"nestRemoting": true,
"disableInclude": true
}
}
},
"acls": [],
"methods": {}
}
thanks in advance,
Vipul
newthings4learning
on 25 Mar 2018
I have 20+ models, and each entity allows to delete every record of related entities using prototype.__delete__{entityname}.
I can disable the prototype method on each model .js file, but there should be a way to disable this deleteAll behavior everywhere.
Edit: I found out how to do it.
In config.json I had:
{
// stuff
"remoting": {
"context": false,
"sharedMethods": {
"createChangeStream": false,
"upsertWithWhere": false,
"updateAll": false,
"deleteAll": false,
"destroyAll": false,
}
// more stuff
}
I blacklisted (inside sharedMethods)
"prototype.__delete__*": false,
"prototype.__link__*": false,
"prototype.__unlink__*": false
And it worked :+1:
ffflabs
on 29 Oct 2018
Related issues
imasif
路
3Comments
devotox
路
4Comments
htmlauthor
路
3Comments
germanamz
路
3Comments
Overdrivr
路
4Comments
Most helpful comment
I have 20+ models, and each entity allows to delete every record of related entities using
prototype.__delete__{entityname}.I can disable the prototype method on each model
.jsfile, but there should be a way to disable thisdeleteAllbehavior everywhere.Edit: I found out how to do it.
In
config.jsonI had:I blacklisted (inside sharedMethods)
And it worked :+1: