How to define access control properly on n-level child object in Loopback?

32 views
Skip to first unread message

Thierry

unread,
Oct 18, 2016, 4:24:14 AM10/18/16
to LoopbackJS

Hi!


I'm scratching my head for a while about the best way to define ACL on my models. I've a model tree (based on mySQL db) like this:
Project -> Issue -> Objective -> Action -> Planning


Each project is managed by few users (some have read-only access, others have full access). If user is not related to the project, he can't access to it and its children. Each child knows only its parent (parentId).


How can I check that user X can access Planning Y?


I've tested nested models and it works fine but only on the first level (Project -> Issue). I already tried a role-resolver where I pass through all parent models to Project but it's ugly and must be done for each model. One told me to add projectId property on all children (or add a rolemapping for each child record!) but I really don't think it's the proper way.


Thank you very much for your help,
Thierry

Reply all
Reply to author
Forward
0 new messages