我一直在阅读有关角色的环回文档。他们陈述如下:
要限定$ owner,目标模型需要拥有belongsTo 与用户模型(或模型从用户扩展)和属性的关系 匹配目标模型实例的外键。检查 $ owner仅针对具有':id'的远程方法执行 路径,例如,GET / api / users /:id。
然而,当我有一个“hasMany”关系并希望对某个对象执行某个操作时会发生什么:
PUT myusers/123/news/456
这将是我的user.json:
{
"name": "MyUser",
"plural": "myusers",
"base": "User",
"idInjection": true,
"options": {
"validateUpsert": true
},
"properties": {},
"validations": [],
"relations": {
"news": {
"type": "hasMany",
"model": "News",
"foreignKey": ""
}
},
"acls": [],
"methods": []
}
答案 0 :(得分:4)
基于this,this和this。我已将MyUser实体更改为Writer实体,因为我喜欢它。
由于Writer实体有很多News,News关系和ACL应该是这样的(news.json)。
"relations": {
"writer": {
"type":"belongsTo",
"model":"Writer",
"foreignKey":"writer_id"
}
},
"acls": [
{ // Nobody has access to nothing
"accessType": "*",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "DENY"
},
{ // But everyone can read everything
"accessType": "READ",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW"
},
{ // And authenticated users can create news
"accessType": "EXECUTE",
"principalType": "ROLE",
"principalId": "$authenticated",
"permission": "ALLOW",
"property": "create"
},
{ // And the owner of a news can update it
"accessType": "WRITE",
"principalType": "ROLE",
"principalId": "$owner",
"permission": "ALLOW"
}
],
Writer实体具有相同的ACL规则,但这种关系(writer.json)
"relations": {
"news": {
"type": "hasMany",
"model": "News",
"foreignKey": "writer_id"
}
}
这里真正发生的是,当您创建Writer时,您必须指定email和password,因为他继承自User模型。所以如果你想要执行
PUT writers/123/news/456
您必须记录的Writer可以在此端点中完成:/api/writers/login(email+password)。如果您的标头,网址或表单上有Writer令牌,此端点将为您提供News令牌,然后您就可以在$owner上执行更新。
另一方面,您还可以获取正在执行HTTP Request的用户,并将该用户的新闻所有者设为hook。
希望它有所帮助。问候。