Loopback ACL by individual property?
You can set the ACL based on the method in Loopback. For example, you can set access levels to Find, Update, Delete
, etc. Is there a way to filter out sensitive properties on models?
Let's say I want to expose my user model via REST, but I want certain properties to be protected by an ACL. For example, maybe I don't want to disclose phoneNumber
or address
if the request is not made by the owner or administrator.
+4
source to share
1 answer
I see two different ways to achieve this:
- Extend the base user model with your own remote findById method and check the user's roles by exposing them to different data.
- Add "before" remote hook to findById and check if user $ is the owner - if it calls next, if not call a custom method that returns the data you want to post to the public (check https://docs.strongloop.com/ display / public / LB / Remote + hooks ) and not 100% sure this works for built-in user methods.
hope this helps, Greetz
+2
source to share