Restricting data access to users in operation hook (access) depending on the ACL of any remote API

[Arpan Jain]

Hello,

I am trying to build a fine-grained custom ACL for my APIs. The best way I could find to implement it was through the "ACCESS" operation hook. This seems to be working fine for all APIs except for the ones that I want to keep open. Is there a way to know use the loopback context object (or any other way) to understand if the given Remote API is accessible to $everyone/$authenticated/${{custom}}. 

// I am editing the scope of the DB access call in the Acceess hook here

Company.observe('access', function (ctx, next) {
  console.log("In the access operational hook");


 
  try {
    var context = app.loopback.getCurrentContext();
    

//if the API is open for everybody, then skip this. 

//but how do i know about the ACL rule of the current API request

    if(context.active
      && context.active.accessToken
      && context.active.accessToken.model === 'UserB2b'
      && !context.active.isAdmin){

      console.log("currentWhereCondition",ctx.query);
      var userAccesses = context.active.userAccesses,
        currentWhereCondition = JSON.parse(JSON.stringify(ctx.query));


      if(currentWhereCondition.id){
        var oldCondition = currentWhereCondition.id,
          newCondition = [];
      }
      else{
        ctx.query.where.id = {
          inq  : userAccesses.companies
        };
      }
      console.log("newWhereCondition",ctx.query);
      }
    next();
  } catch (ex) {
    return next(ex);
  }
});

Model ACLs:

"acls": [
  {
    "accessType": "*",
    "principalType": "ROLE",
    "principalId": "$everyone",
    "permission": "DENY"
  },
  {
    "accessType": "*",
    "principalType": "ROLE",
    "principalId": "$authenticated",
    "permission": "ALLOW"
  },
  {
    "model":"Company",
    "accessType": "READ",
    "principalType": "ROLE",
    "principalId": "$everyone",
    "permission": "ALLOW"
  }
]