validate permissions for each of req.options.associations

[tjwebb]

[tjwebb]

@ryanwilliamquinn I wonder if this can flow also into the Transitive Permissions feature (#64). Basically, we currently avoid this problem by setting populate: false. But sails allows you to complexly query for associations and whatnot, and we'll want all these permissions checks to apply to those relations as well

[bsill]

Here is the problem I am running into, and am wondering if it relates to this issue:

I have a model, DataSource, which has a one-to-many with Schema, as follows:

...

attributes: {
    label  : { type: 'string', required : true, maxLength : 30 },
    produces : {
        collection : 'schema',
        via : 'producedBy'
    }
}

...

I have blueprint populate set to false, such that when I load DataSources, I do not also receive the schemas it produces by default. Thus I need to make a call for them on demand. I am doing so via the following blueprint action:

/dataSource/:id/produces

Unfortunately, I am receiving a 404 response, as the CriteriaPolicy is trying to apply the criteria for DataSources to the data which is returned, which is an array of Schema models, not DataSources. Thus, we hit this conditional case in CriteriaPolicy.responsePolicy, and return 404:

if (permitted.length === 0) {
    sails.log.info('permitted.length === 0');
    return res.send(404);
}

Looks like ModelPolicy may need to be made smarter to identify the blueprint url pattern /model/:id/association, and set the model class to the association's class, not the root model.

Do you plan to make this enhancement? I use the on-demand association request a number of places.

Thanks

[pixelbacon]

This is a rather large bug IMO; a main reason many people use Sails is because of the blueprint & association portion of the API...

Any update on this?