Open pulkitsinghal opened 9 years ago
As an example, imagine this situation which I believe throws off a lot of users including myself: you are logged into your angular client and you want to fetch a model owned by your user and also get at its related models.
Sample Scenario: UserModel hasMany ReportModel(s) ReportModel has many LineItemModel(s)
ReportModel.findById({id: reportId})
will hit the wall where currently (today is April 15, 2015) there is no way to use the include
filter with findById()
ReportModel.find({where:{id:reportId}, include:['lineitemModels']})
but that too will fail with a 403The only way this is going to work is via a very specific syntax which starts at the UserModel and leverages the fact that ReportModel is related to it ... to finally get at the resources we want!
UserModel.reportModels.findById({
id: LoopBackAuth.currentUserId,
fk: reportId,
filter:{
include:'lineitemModels'
}
})
Why does it have to be so contrived? This is how it was explained to me: https://groups.google.com/d/msg/loopbackjs/T5FJnqXomd8/CdziNmDOloIJ
At the moment, LoopBack ACLs are enforced prior to the target method invocation. Only the knowledge from the request context is used. For example, the $owner role uses the ‘id’ to check if the target instance is ‘owned’ by the logged in user. There were discussions to extend ACL checks post the method invocation. We’re working toward that in steps.
By the way, pending https://github.com/strongloop/loopback/pull/1306, the filter include
inside findById is a no-op!
An enlightening comment from @jasonaden:
Wait, are you trying to secure everything to the $owner? You will have a lot of difficulty doing that. $owner can only go one level deep, and only works against the User model, so it's not really all that useful.
https://github.com/strongloop/loopback/pull/1306 was released for "loopback": "2.16.0"
and I tested that it works with the followign syntax on the angular side:
return ReportModel.findById({
id:1,
filter:{
include:'lineitemModels'
}
})
.$promise.then(function(...){...});
But while that wasn't working I had also taken @doublemarked's suggestion to implement a remote method so for what its worth that approach may be worth demoing too.
FWIW, I would not recommend the solution described in https://github.com/loopbackers/loopback-advanced-models/issues/4#issuecomment-93622066 as it may stop working once we fix https://github.com/strongloop/loopback/issues/960
UserModel.reportModels.findById({ id: LoopBackAuth.currentUserId, fk: reportId, filter:{ include:'lineitemModels' } })
I don't think there are any examples on github right now or any docs that show: How to call findById for a related model from angular.
We should figure it out and cover that.