Checking Query Arguments For Loopback ACLs To Allow `find`ing The User's Data Only
I have two loopback services running independently in docker containers and they talk to each other.
One handles Users and the other handles some UserData associated with a User. They are connected via a remote connector on both servers that point to the other server.
When the current User updates their details on server A it needs to update some UserData on server B. Auth is done using JWT tokens, and I managed to get server A to forward the token it was given to server B.
The problem I am having is that user.data() on server A gets passed to the remote connector and turned into a query like /api/UserData/find?filter[where][userId]=2 on server B, but the ACLs on server B do not allow queries on find because then you could get everyone's data by just changing the where clause.
Is there a way to create a dynamic Role that lets a user filter by their own data? (ie, can I check the query params in the Role resolver somehow?)
Answer
The way I did this was to create a role that checks the arguments in the context.remotingContext.req and verifies that the where for the current user is included in the arguments.
Related Questions
- → How to update data attribute on Ajax complete
- → October CMS - Radio Button Ajax Click Twice in a Row Causes Content to disappear
- → Octobercms Component Unique id (Twig & Javascript)
- → Passing a JS var from AJAX response to Twig
- → Laravel {!! Form::open() !!} doesn't work within AngularJS
- → DropzoneJS & Laravel - Output form validation errors
- → Import statement and Babel
- → Uncaught TypeError: Cannot read property '__SECRET_DOM_DO_NOT_USE_OR_YOU_WILL_BE_FIRED' of undefined
- → React-router: Passing props to children
- → ListView.DataSource looping data for React Native
- → Can't test submit handler in React component
- → React + Flux - How to avoid global variable
- → Webpack, React & Babel, not rendering DOM