Loopback: ACL wildcard in property for related Models?

Created on 23 Feb 2015  路  9Comments  路  Source: strongloop/loopback

Hi there,
i often have ACL like:

[
    {
      "accessType": "*",
      "permission": "ALLOW",
      "principalType": "ROLE",
      "principalId": "editor",
      "property": "__get__questions"
    },
    {
      "accessType": "*",
      "permission": "ALLOW",
      "principalType": "ROLE",
      "principalId": "editor",
      "property": "__updateById__questions"
    },
    {
      "accessType": "*",
      "permission": "ALLOW",
      "principalType": "ROLE",
      "principalId": "editor",
      "property": "__create__questions"
    }
// ......
]

Grant full access to the related model Question for the role editor. Sadly i have to explicitly define every method here. Probably we could support something like __*__questions ?
Or is there another ay to grant access to related models?

feature
Source
picture psi-4ward

Most helpful comment

It's not a wildcard, but you can merge all of those into a single object using an array for the property: 

// ...
"property": ["__get__questions", "__updateById__questions", "__create__questions"]
picture doublemarked on 16 Nov 2015
👍2

All 9 comments

Would you like to submit a pull request?

superkhau picture superkhau on 25 Feb 2015

Dont know if i find time to dig this deep in the ACL implementation. Im not there for next 5 weeks

psi-4ward picture psi-4ward on 25 Feb 2015

At the very least, you could define the property as an array, although it would still be good to use wildcards!

gausie picture gausie on 12 Jun 2015

So is now the wildcard in the property available? I had the same issue now, wanted to allow only GET and deny all other methods.

kussberg picture kussberg on 15 Aug 2015

+1

danielrvt picture danielrvt on 27 Oct 2015

It's not a wildcard, but you can merge all of those into a single object using an array for the property: 

// ...
"property": ["__get__questions", "__updateById__questions", "__create__questions"]
doublemarked picture doublemarked on 16 Nov 2015
👍2

@psi-4ward: Do you still require this? As mentioned in https://github.com/strongloop/loopback/issues/1121#issuecomment-157172284, you can put your method names into an array.

This might take a while for us to get to. To speed up the process, you can do one of two things:

  1. If you still require this, open a new issue using the New issue button and fill in the template provided to you
  2. Open a PR adding this functionality yourself and we will review and merge.

Will close this issue now as it's been over a year. Please use option #1 if you still require this.

pthieu picture pthieu on 3 Nov 2016

Rather old Topic...

No I don't need it anymore, switched to FeathersJS. Thanks!

psi-4ward picture psi-4ward on 3 Nov 2016

this feature would be awesome. restricting relation methods is tedious and susceptible to vulnerabilities . Either the wildcard or the array option would help a lot.

joeybenenati picture joeybenenati on 5 May 2017
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rkmax picture rkmax  路  3Comments
imasif picture imasif  路  3Comments
futurus picture futurus  路  3Comments
nmklong picture nmklong  路  3Comments
Overdrivr picture Overdrivr  路  3Comments