Description
Hello
I have a method "preferences" on my UserController
, which actually only works against my Preferences
model:
preferences: function(req, res) {
Preferences.findOrCreate({user: req.session.userInfo.id}).then(function(preferences){
if(!preferences) return res.serverError("error getting preferences");
return res.ok(preferences);
}).catch(function(err){ return res.serverError(err);});
}
The sails-permissions RolePolicy
seems to not like that combination. The RolePolicy
will actually extract ALL objects in my User
model to check wether my permission matches each object. After some debug statements this is what is written to the console:
silly: PermissionService -> findModelPermissions -> permissionCriteria:
silly: {"model":8,"action":"read","or":[{"role":[2,5]},{"user":3}]}
silly: PermissionPolicy:
silly: [{"criteria":[],"model":8,"role":2,"action":"read","relation":"owner","createdAt":"2017-08-17T11:12:44.344Z","updatedAt":"2017-08-17T11:12:44.344Z","id":120}]
silly: PermissionPolicy: 1 permissions grant GET on model User for Greenfield Bikes/Bjarne B
To this point the PermissionPolicy
has gathered that the current user has READ
on User
model with Relation: Owner
Now comes the weird part:
silly: RolePolicy -> entry
silly: RolePolicy -> Cannot perform action [read] on foreign object:
The RolePolicy
calls the PermissionService.findTargetObjects(req)
which returns ALL objects on the User
model.
-
Why do the
RolePolicy
work on theUser
model, when it is thePreferences
model that myUserController
will access, -
Why is the
PermissionService.findTargetObjects(req)
call needed? Returning all objects on the model seems crazy. What happens with performance if I have 100.000 entries in my model. And all this is before my code is even touching the model. -
Am I using it all wrong?