Enable relation methods targetting Models not exposed via REST API

[bajtos]

Cross-posting from https://groups.google.com/forum/#!topic/loopbackjs/pyk5B4-SFzs:

I have the following models:

Customer
Group

Customer hasMany Groups
Group belongsTo Customer

In the API I don't want to expose Group endpoints (i.e /api/groups/), but I do want to expose /api/customers/:id/groups

Recently I change my model-config.json to disable public access to the Groups endpoint.

"Group": {
    "dataSource": "db",
    "public": false
}

This disabled the endpoint in Explorer, and I was still able to make a call to /api/customers/:id/groups

However, I just noticed the following warning in the lb-service.js generatioin:

[2015-01-27T16:10:58.096Z] [ERROR] Warning: scope Customer.groups targets class "Group", which is not exposed
via remoting. The Angular code for this scope won't be generated.

This explains why the code in lb-services.js wasn't working. So the question then is can the lb-services generation be modified to include access to the relations (/api/customers/:id/groups) and restrict access to the base model (i.e /api/groups)?

[bajtos]

We don't have bandwidth to implement this feature ourselves. Contributions are welcome though!

[proreact-mj]

Xpost from #187

reproduce project: https://github.com/proreact-mj/loopback-sandbox

Notes:
This does not seem to be an issue for ad hoc created models (cli), only in the models that where migrated from a MySQL DB with arc. Maybe there is something in the automatic [model].json definition that messes with the lb-ng functionality?

Also note that removing the belongsTo relation from the through-model removes the issue in lb-ng but breaks the relation in the running API.