restricting access to records in a table

[ORESoftware]

We use Loopback :) Say we have two tables like so (in Postgres):

contracts
| id | name | manager_id |
|----|------|-------------|
| 1  | a    | 4           |
| 2  | b    | 5           |
| 3  | c    | 6           |

contract_managers
| id | name |
|----|------|
| 4  | e    |
| 5  | f    |
| 6  | g    |

what we want is to implement low level access control to the contracts table - restricting user access to only certain records. Given the docs, it's not yet clear if we can restrict access to particular records, using ACLs alone.

If someone is logged into our application and they are a contract_manager, we want them to only be able to read records from the contracts table for records where the manager_id is the logged in user id. For example, if I am logged in and my user id = 4, I am thus a contract_manager, and I should only be able to read from the contracts table where the manager_id = 4.

Is there a way to implement this simple logic with ACLs? Or do we need to create custom logic?

[the1mills]

I asked the same question on SO and got an answer, hopefully this is more or less correct:

http://stackoverflow.com/questions/39668855/using-access-control-lists-in-loopback-for-restricting-access-to-table-records/39679210#39679210

thanks

[stale[bot]]

This issue has been closed due to continued inactivity. Thank you for your understanding. If you believe this to be in error, please contact one of the code owners, listed in the CODEOWNERS file at the top-level of this repository.