Loopback ACL by individual property?

Question

Loopback ACL by individual property?

You can set the ACL based on the method in Loopback. For example, you can set access levels to Find, Update, Delete

, etc. Is there a way to filter out sensitive properties on models?

Let's say I want to expose my user model via REST, but I want certain properties to be protected by an ACL. For example, maybe I don't want to disclose phoneNumber

or address

if the request is not made by the owner or administrator.

+4

acl loopbackjs loopback

Josh elias 07 Aug 15 at 17:14

source to share

1 answer

instance · Answer 1 · 2015-08-13T20:19:42+0000

I see two different ways to achieve this:

Extend the base user model with your own remote findById method and check the user's roles by exposing them to different data.
Add "before" remote hook to findById and check if user $ is the owner - if it calls next, if not call a custom method that returns the data you want to post to the public (check https://docs.strongloop.com/ display / public / LB / Remote + hooks ) and not 100% sure this works for built-in user methods.

hope this helps, Greetz

Loopback ACL by individual property?

More articles: