Description
This package still active?
By my test,
PermissionService.grant({role:'registered', model:'sth', action:'update', relation:'role'})
PermissionService.grant({role:'registered', model:'sth', action:'update', relation:'owner'})
Then, 'put /sth/:id' can only be accessed by the user who owns the 'sth/:id', it works.
However, I need similar access control for 'get /sth/:id', I want only the owner can access 'get sth/:id'. I tried the following operations:
PermissionService.grant({role:'registered', model:'sth', action:'read', relation:'role'})
PermissionService.grant({role:'registered', model:'sth', action:'read', relation:'owner'})
But it does not work.
PermissionService.grant({role:'registered', model:'sth', action:'read', relation:'role'})
, then 'get /sth/' and 'get /sth/:id' can both be accessed by all registered users despite of ownership.
PermissionService.revoke({role:'registered', model:'sth', action:'read', relation:'role'})
, then 'get /sth/' and 'get /sth/:id' would both be forbidden for all registered users despite of ownership.
And permission {role:'registered', model:'sth', action:'read', relation:'owner'} seems to have no effect.
I just don't know if it is a designed feature or a bug.