Include related models in findById

[bajtos]

Consider the use-case described in #85: a product hasAndBelongsToMany categories.

At the moment, it's possible to retrieve a category by id with all its products via findOne:

GET /api/categories/findOne?filter[where][id]=CAT-ID&filter[include]=products

We should add support for include to findById too, so that the request can be simplified to e.g.

GET /api/categories/CAT-ID?include=products

[fabien]

@bajtos would be great to have this in 2.0

[bajtos]

would be great to have this in 2.0
/cc @raymondfeng You can probably implement this in shorter time than I would need.

[raymondfeng]

We'll have to refine the findById() to take the options.

[doublemarked]

+1

[marcopeise]

+1

[raymondfeng]

We just added the options arg to findById. Does any of you want to create a patch?

[maddes]

Forget this, read the next comment

¿Has this been resolved in any newer version?

Notice that this prevents using the ACL resolver.

If I use find() or findOne with a where clause I get context.modelId = undefined on the resolver function.

But if I use findById() I can filter the access according to custom rules set on the resolver (because I have the id which is being requested).

This bug forces us to either:

• Not use the the ACL resolver functions (because I'll never get the modelId when I'm including stuff), but then I have a really hard time filtering access in situations like (employee access task assigned to his team: the task is not assigned to him but to his team, therefore, he doesn't have a 'owner' relation…)
• Do additional calls to the database filling the model needed with it's relations (which can be A LOT and it's very annoying).

Sorry the long post. I would give you a potato, but this isn't 9gag…

[maddes]

This is a immensely bigger show-stopper than I expected/commented…

How could I ever limit access on the example given?

I have:

• User
• Team
• Task

Relations:

• User belongs to a Team
• Team has many Task

ACL:

• User has the role teamMember
• Role teamMember has READ access granted to model Task
• A dynamic role resolver is added then to further filter when a teamMember tries to access a Task (to check if it belongs to the Task Team)

How can I limit the access for a User not to be accessing Tasks from other teams?

If I denyAll Users to Task, nobody can access their tasks directly.

If I grant Users to Task I let them access to all tasks, which is sad.

If I use a dynamic role resolver to further limit the access of teamMember only to the Team where he is and Task from his team, I just can't get to the tasks…

why?

• In the dynamic role resolver, if a teamMember is accessing to a Task not belonging to it's Team then the access is rejected. As a consequence, no teamMember can ever perform a Task.findOne() or Task.find() because the context.modelId received on the resolver is undefined and therefore, I can't verify the access without hideous inspection of the where clause.

Then how do I access the task? With a Task.findById({ id: taskId }).

And how do I know the taskId?

Easy, just do a Team.findById( { id: user.teamId, filter: { include: 'task' } } ) and you have a pretty list of Task for the team in the results…

Oh wait… I can't do that, because include doesn't work on findById().

But I can't use a Team.find( { filter: { include: 'task', where: { id: user.teamId } } } ) because the context.modelId will be undefined again, and I can't just grant them access to any Team they like…

So…

How do I do this simple task?

[bajtos]

Support for filter[include] was added by #564.

@maddes please open a new issue in the loopback project to discuss the implications for custom ACL resolver.