Menu
I am having an issue protecting nested relations. I have three models:
AddressesUsers through ContactsUserUserUserA User can get their Address information:
/users/{user_id}/address.
A User can also get there Contacts:
/users/{user_id}/contacts.
But a User can also get there Contacts Addresses:
/users/{user_id}/contacts?filter={"include":"addresses"}
I would like to restrict the Addresses relation to the $owner.
Temporary solution:
for now i am manually checking to see if the owner is the one accessing the relation:
Address.observe('access', function restrict(ctx, next) {
if(_.isObject(ctx.query.where) && ctx.query.where.user_id && ctx.query.where.user_id.inq){
var id = app.models.user.getCurrentUserId();
if(validate(ctx.query.where.user_id.inq[0] === id, 'Unauthorization Access', "UNAUTHORIZATION_ACCESS", 403, next)){return;}
}
next();
});
961
asked Nov 25 '25 08:11
There is an issue in loopback created to fix it and track all related discussions: https://github.com/strongloop/loopback/issues/1362
66
answered Nov 27 '25 23:11
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With