Property permissions which override the model permissions themselves, do not seem to be correctly respected when fetching data over a resource by default. Just to elaborate a bit, I would assume that in case no req.actor is provided by a middleware function, the correct assumption would be to use the ACLModel defaults.
This can be fixed by giving a default actor to the fetchOptions by making a minor change to the /lib/resrouces/resource.js on line 467 in the current version (SHA 21b76cb2b02baf162fc0c6bb8b9a02ecfff8c421):
Property permissions which override the model permissions themselves, do not seem to be correctly respected when fetching data over a resource by default. Just to elaborate a bit, I would assume that in case no
req.actor
is provided by a middleware function, the correct assumption would be to use the ACLModel defaults.This can be fixed by giving a default actor to the fetchOptions by making a minor change to the
/lib/resrouces/resource.js
on line 467 in the current version (SHA 21b76cb2b02baf162fc0c6bb8b9a02ecfff8c421):Change this:
to this:
And of course require to model at the top of the resource.js:
I don't know yet wether or not the same property permission bug plagues other parts of the resource.js.