-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hide put and delete endpoints for related models #843
Comments
Ok, I've found the name (I'm still wondering if there is a better way to hide everything):
Please close. |
OK, I clarified in docs. |
This is still a pretty horrible approach. Is there no better way? My model has relations to other models, and they show up also. Do I actually have to explicitly "disableRemoteMethod" on each and every known endpoint? There sure has to be a way to only allow access to a model through another models relations? Example: |
Does anyone have a complete list of method names for user model? MyUser.disableRemoteMethod("create", true);
MyUser.disableRemoteMethod("update", true);
MyUser.disableRemoteMethod("updateById", true);
MyUser.disableRemoteMethod("updateAll", true);
MyUser.disableRemoteMethod("find", true);
MyUser.disableRemoteMethod("findById", true);
MyUser.disableRemoteMethod("findOne", true);
MyUser.disableRemoteMethod("deleteById", true);
MyUser.disableRemoteMethod("destroyById", true);
MyUser.disableRemoteMethod("removeById", true);
MyUser.disableRemoteMethod("confirm", true);
MyUser.disableRemoteMethod("count", true);
MyUser.disableRemoteMethod("exists", true);
MyUser.disableRemoteMethod("resetPassword", true);
MyUser.disableRemoteMethod('__count__accessTokens', true);
MyUser.disableRemoteMethod('__create__accessTokens', true);
MyUser.disableRemoteMethod('__findById__accessTokens', true);
MyUser.disableRemoteMethod('__deleteById__accessTokens', true);
MyUser.disableRemoteMethod('__destroyById__accessTokens', true);
MyUser.disableRemoteMethod('__removeById__accessTokens', true);
MyUser.disableRemoteMethod('__deleteAll__accessTokens', true);
MyUser.disableRemoteMethod('__destroyAll__accessTokens', true);
MyUser.disableRemoteMethod('__removeAll__accessTokens', true);
MyUser.disableRemoteMethod('__updateById__accessTokens', true); Few methods were removed, but I still have the methods below displayed on explorer: DELETE /MyUsers/{id}/accessTokens
DELETE /MyUsers/{id}/accessTokens/{fk}
GET /MyUsers/{id}/accessTokens
GET /MyUsers/{id}/accessTokens/count
GET /MyUsers/{id}/accessTokens/{fk}
POST /MyUsers/login
POST /MyUsers/logout
POST /MyUsers/{id}/accessTokens
PUT /MyUsers
PUT /MyUsers/{id}
PUT /MyUsers/{id}/accessTokens/{fk} How could I disable everything but |
@raymondfeng Do you have a suggestion here? |
The complete list is available via http://localhost:3000/explorer/resources/users. See the list of nicknames. |
Thanks @crandmck and @raymondfeng ! Here is the code that allowed me to disable all MyUser.disableRemoteMethod("create", true);
MyUser.disableRemoteMethod("upsert", true);
MyUser.disableRemoteMethod("updateAll", true);
MyUser.disableRemoteMethod("updateAttributes", false);
MyUser.disableRemoteMethod("find", true);
MyUser.disableRemoteMethod("findById", true);
MyUser.disableRemoteMethod("findOne", true);
MyUser.disableRemoteMethod("deleteById", true);
MyUser.disableRemoteMethod("confirm", true);
MyUser.disableRemoteMethod("count", true);
MyUser.disableRemoteMethod("exists", true);
MyUser.disableRemoteMethod("resetPassword", true);
MyUser.disableRemoteMethod('__count__accessTokens', false);
MyUser.disableRemoteMethod('__create__accessTokens', false);
MyUser.disableRemoteMethod('__delete__accessTokens', false);
MyUser.disableRemoteMethod('__destroyById__accessTokens', false);
MyUser.disableRemoteMethod('__findById__accessTokens', false);
MyUser.disableRemoteMethod('__get__accessTokens', false);
MyUser.disableRemoteMethod('__updateById__accessTokens', false); |
I tried to make a new However, new models deriving from |
This may be a solution, but do not want to use ACL for now I do not manage users. |
in Stroonloop 3.0: "loopback": "^3.4.0", loopback deprecated Model.disableRemoteMethod is deprecated. Use Model.disableRemoteMethodByName instead. but it seems that it doenst work properly with related methods the following works:
the following doenst work at all:
Please @raymondfeng reopen this issue. Thanks for your product 👍 |
in loopback 3 use the |
@ebarault Thank you so much. |
welcome @mercuriete ! |
Could you please open the issue again? Thanks. |
I have seen this work with Loopback 3.0 |
I am still facing this issue. i see that i have got the below end point in the explorer: But I don't want to expose the create method for club from within customer. I tried to use the below methods inside customer.js as explained in the loopback documentation, but it still keeps showing the above end point (POST /customers/{id}/clubs) in explorer.
Is this a bug or am i doing something incorrectly here ? I would really appreciate any help or pointers. customer.josn -- thanks in advance, |
I have 20+ models, and each entity allows to delete every record of related entities using I can disable the prototype method on each model Edit: I found out how to do it.In {
// stuff
"remoting": {
"context": false,
"sharedMethods": {
"createChangeStream": false,
"upsertWithWhere": false,
"updateAll": false,
"deleteAll": false,
"destroyAll": false,
}
// more stuff
} I blacklisted (inside sharedMethods) "prototype.__delete__*": false,
"prototype.__link__*": false,
"prototype.__unlink__*": false And it worked 👍 |
Hi,
I have
MyUser
that extends built-inUser
. I am trying to disable all/myusers/accessTokens
endpoints, but I can't disable PUT and DELETE.Here's my code (in
MyUser.js
):all were hidden but the two mentioned.
What is the correct way to hide them?
The text was updated successfully, but these errors were encountered: