Hide put and delete endpoints for related models

[diasalvatore]

Hi,

I have MyUser that extends built-in User. I am trying to disable all /myusers/accessTokens endpoints, but I can't disable PUT and DELETE.

Here's my code (in MyUser.js):

MyUser.disableRemoteMethod('__get__accessTokens', false);
MyUser.disableRemoteMethod('__create__accessTokens', false);
MyUser.disableRemoteMethod('__find__accessTokens', false);
MyUser.disableRemoteMethod('__count__accessTokens', false);
MyUser.disableRemoteMethod('__findById__accessTokens', false);
MyUser.disableRemoteMethod('__upsert__accessTokens', false);
MyUser.disableRemoteMethod('__delete__accessTokens', false);

all were hidden but the two mentioned.
What is the correct way to hide them?

[diasalvatore]

Ok, I've found the name (I'm still wondering if there is a better way to hide everything):

MyUser.disableRemoteMethod('__destroyById__accessTokens', false); // DELETE
MyUser.disableRemoteMethod('__updateById__accessTokens', false); // PUT

Please close.
PS: maybe there is a mistake in the doc: http://docs.strongloop.com/display/public/LB/Exposing+models+over+REST#ExposingmodelsoverREST-Hidingendpointsforrelatedmodels . Example suggests to use: __delete__.

[crandmck]

OK, I clarified in docs.

[kennethlynne]

This is still a pretty horrible approach. Is there no better way? My model has relations to other models, and they show up also. Do I actually have to explicitly "disableRemoteMethod" on each and every known endpoint? There sure has to be a way to only allow access to a model through another models relations?

Example:
I want to be able to access messages through conversation, but not the other way around:
conversations/messages 👍
messages/ should be hidden entirely

[jfoliveira]

Does anyone have a complete list of method names for user model?
Here is what I came up with after one hour looking at the source code:

MyUser.disableRemoteMethod("create", true);
MyUser.disableRemoteMethod("update", true);
MyUser.disableRemoteMethod("updateById", true);
MyUser.disableRemoteMethod("updateAll", true);

MyUser.disableRemoteMethod("find", true);
MyUser.disableRemoteMethod("findById", true);
MyUser.disableRemoteMethod("findOne", true);

MyUser.disableRemoteMethod("deleteById", true);
MyUser.disableRemoteMethod("destroyById", true);
MyUser.disableRemoteMethod("removeById", true);

MyUser.disableRemoteMethod("confirm", true);
MyUser.disableRemoteMethod("count", true);
MyUser.disableRemoteMethod("exists", true);
MyUser.disableRemoteMethod("resetPassword", true);

MyUser.disableRemoteMethod('__count__accessTokens', true);
MyUser.disableRemoteMethod('__create__accessTokens', true);
MyUser.disableRemoteMethod('__findById__accessTokens', true);

MyUser.disableRemoteMethod('__deleteById__accessTokens', true);
MyUser.disableRemoteMethod('__destroyById__accessTokens', true);
MyUser.disableRemoteMethod('__removeById__accessTokens', true);

MyUser.disableRemoteMethod('__deleteAll__accessTokens', true);
MyUser.disableRemoteMethod('__destroyAll__accessTokens', true);
MyUser.disableRemoteMethod('__removeAll__accessTokens', true);

MyUser.disableRemoteMethod('__updateById__accessTokens', true);

Few methods were removed, but I still have the methods below displayed on explorer:

DELETE /MyUsers/{id}/accessTokens
DELETE /MyUsers/{id}/accessTokens/{fk}
GET /MyUsers/{id}/accessTokens
GET /MyUsers/{id}/accessTokens/count
GET /MyUsers/{id}/accessTokens/{fk}
POST /MyUsers/login
POST /MyUsers/logout
POST /MyUsers/{id}/accessTokens
PUT /MyUsers
PUT /MyUsers/{id}
PUT /MyUsers/{id}/accessTokens/{fk}

How could I disable everything but login and logout?

[crandmck]

@raymondfeng Do you have a suggestion here?

[raymondfeng]

The complete list is available via http://localhost:3000/explorer/resources/users. See the list of nicknames.

[jfoliveira]

Thanks @crandmck and @raymondfeng !

Here is the code that allowed me to disable all /users methods except login and logout:

MyUser.disableRemoteMethod("create", true);
MyUser.disableRemoteMethod("upsert", true);
MyUser.disableRemoteMethod("updateAll", true);
MyUser.disableRemoteMethod("updateAttributes", false);

MyUser.disableRemoteMethod("find", true);
MyUser.disableRemoteMethod("findById", true);
MyUser.disableRemoteMethod("findOne", true);

MyUser.disableRemoteMethod("deleteById", true);

MyUser.disableRemoteMethod("confirm", true);
MyUser.disableRemoteMethod("count", true);
MyUser.disableRemoteMethod("exists", true);
MyUser.disableRemoteMethod("resetPassword", true);

MyUser.disableRemoteMethod('__count__accessTokens', false);
MyUser.disableRemoteMethod('__create__accessTokens', false);
MyUser.disableRemoteMethod('__delete__accessTokens', false);
MyUser.disableRemoteMethod('__destroyById__accessTokens', false);
MyUser.disableRemoteMethod('__findById__accessTokens', false);
MyUser.disableRemoteMethod('__get__accessTokens', false);
MyUser.disableRemoteMethod('__updateById__accessTokens', false);

[sinedied]

I tried to make a new BaseModel deriving from PersistentModel and added this code inside.

However, new models deriving from BaseModel still have the endpoints exposed, why is that?

[kennethlynne]

Maybe whitelisting endpoints using ACL solves the problem for you?

[sinedied]

This may be a solution, but do not want to use ACL for now I do not manage users.
Anyway, I'm more interested in understanding why models deriving from my base model did not inherit its behavior than finding a workaround ;)

[mercuriete]

in Stroonloop 3.0:

"loopback": "^3.4.0",
"loopback-component-explorer": "^4.1.1"

loopback deprecated Model.disableRemoteMethod is deprecated. Use Model.disableRemoteMethodByName instead.

but it seems that it doenst work properly with related methods

the following works:

  model.disableRemoteMethod('__count__accessTokens', false);
  model.disableRemoteMethod('__create__accessTokens', false);
  model.disableRemoteMethod('__delete__accessTokens', false);
  model.disableRemoteMethod('__destroyById__accessTokens', false);
  model.disableRemoteMethod('__findById__accessTokens', false);
  model.disableRemoteMethod('__get__accessTokens', false);
  model.disableRemoteMethod('__updateById__accessTokens', false);

the following doenst work at all:

  model.disableRemoteMethodByName('__count__accessTokens');
  model.disableRemoteMethodByName('__create__accessTokens');
  model.disableRemoteMethodByName('__delete__accessTokens');
  model.disableRemoteMethodByName('__destroyById__accessTokens');
  model.disableRemoteMethodByName('__findById__accessTokens');
  model.disableRemoteMethodByName('__get__accessTokens');
  model.disableRemoteMethodByName('__updateById__accessTokens');

Please @raymondfeng reopen this issue.

Thanks for your product 👍

[ebarault]

in loopback 3 use the prototype. prefix when it comes to disable methods attached on prototype:
model.disableRemoteMethodByName('prototype.__count__accessTokens');

[mercuriete]

@ebarault Thank you so much.
this is a nice product and a nice community.
thanks 👍

[ebarault]

welcome @mercuriete !

[zenzjtech]

Could you please open the issue again?
I have tried all the above solutions and documentation here also but none of them work for me. I am wondering if there are any new changes in loopback API?

Thanks.

[sw8fbar]

I have seen this work with Loopback 3.0
model.disableRemoteMethodByName('deleteById', true);

[newthings4learning]

I am still facing this issue.
I just began with loopback and created a very simple app with two models only: customer and club.
I created a hasAndBelongToMany relation between these models.

i see that i have got the below end point in the explorer:
POST /customers/{id}/clubs

But I don't want to expose the create method for club from within customer.

I tried to use the below methods inside customer.js as explained in the loopback documentation, but it still keeps showing the above end point (POST /customers/{id}/clubs) in explorer.

1. Customer.disableRemoteMethod('__create__club',true);
2. Customer.disableRemoteMethod('prototype.__create__club',true);
3. Customer.disableRemoteMethodByName('__create__club');
4. Customer.disableRemoteMethodByName('prototype.__create__club');

Is this a bug or am i doing something incorrectly here ? I would really appreciate any help or pointers.

customer.josn --
{
"name": "customer",
"base": "PersistedModel",
"idInjection": true,
"options": {
"validateUpsert": true
},
"properties": {
"name": {
"type": "string",
"required": true
}
},
"validations": [],
"relations": {
"clubs": {
"type": "hasAndBelongsToMany",
"model": "club",
"foreignKey": "clubId",
"options": {
"nestRemoting": true,
"disableInclude": true
}
}
},
"acls": [],
"methods": {}
}

thanks in advance,
Vipul

[ffflabs]

I have 20+ models, and each entity allows to delete every record of related entities using prototype.__delete__{entityname}.

I can disable the prototype method on each model .js file, but there should be a way to disable this deleteAll behavior everywhere.

Edit: I found out how to do it.

In config.json I had:

{
// stuff
"remoting": {
    "context": false,
    "sharedMethods": {
      "createChangeStream": false,
      "upsertWithWhere": false,
      "updateAll": false,
      "deleteAll": false,
      "destroyAll": false,
   }
// more stuff
}

I blacklisted (inside sharedMethods)

      "prototype.__delete__*": false,
      "prototype.__link__*": false,
      "prototype.__unlink__*": false

And it worked 👍