I am trying to build a fine-grained custom ACL for my APIs. The best way I could find to implement it was through the "ACCESS" operation hook. This seems to be working fine for all APIs except for the ones that I want to keep open. Is there a way to know use the loopback context object (or any other way) to understand if the given Remote API is accessible to $everyone/$authenticated/${{custom}}.
// I am editing the scope of the DB access call in the Acceess hook here
Company.observe('access', function (ctx, next) {
console.log("In the access operational hook");
try {
var context = app.loopback.getCurrentContext();
//if the API is open for everybody, then skip this.
//but how do i know about the ACL rule of the current API request
if(context.active
&& context.active.accessToken
&& context.active.accessToken.model === 'UserB2b'
&& !context.active.isAdmin){
console.log("currentWhereCondition",ctx.query);
var userAccesses = context.active.userAccesses,
currentWhereCondition = JSON.parse(JSON.stringify(ctx.query));
if(currentWhereCondition.id){
var oldCondition = currentWhereCondition.id,
newCondition = [];
}
else{
ctx.query.where.id = {
inq : userAccesses.companies
};
}
console.log("newWhereCondition",ctx.query);
}
next();
} catch (ex) {
return next(ex);
}
});
Model ACLs:
"acls": [
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "DENY"
},
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$authenticated",
"permission": "ALLOW"
},
{
"model":"Company",
"accessType": "READ",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW"
}
]