Merge pull request #1370 from strongloop/fix/check-access-ordering

Use the new remoting.authorization hook for check access

lib/application.js

@@ -295,7 +295,8 @@ app.enableAuth = function() {
   var remotes = this.remotes();
   var app = this;
 
-  remotes.before('**', function(ctx, next, method) {
+  remotes.authorization = function(ctx, next) {
+    var method = ctx.method;
     var req = ctx.req;
     var Model = method.ctor;
     var modelInstance = ctx.instance;
@@ -354,7 +355,7 @@ app.enableAuth = function() {
     } else {
       next();
     }
-  });
+  };
 
   this.isAuthEnabled = true;
 };

test/acl.test.js

@@ -356,3 +356,42 @@ describe('security ACLs', function() {
     });
   });
 });
+
+describe('access check', function() {
+  var app;
+  before(function() {
+    app = loopback();
+    app.use(loopback.rest());
+    app.enableAuth();
+    app.dataSource('test', {connector: 'memory'});
+  });
+
+  it('should occur before other remote hooks', function(done) {
+    var MyTestModel = app.model('MyTestModel', {base: 'PersistedModel', dataSource: 'test'});
+    var checkAccessCalled = false;
+    var beforeHookCalled = false;
+
+    // fake / spy on the checkAccess method
+    MyTestModel.checkAccess = function() {
+      var cb = arguments[arguments.length - 1];
+      checkAccessCalled = true;
+      var allowed = true;
+      cb(null, allowed);
+    };
+
+    MyTestModel.beforeRemote('find', function(ctx, next) {
+      // ensure this is called after checkAccess
+      if (!checkAccessCalled) return done(new Error('incorrect order'));
+      beforeHookCalled = true;
+      next();
+    });
+
+    request(app)
+      .get('/MyTestModels')
+      .end(function(err, result) {
+        assert(beforeHookCalled, 'the before hook should be called');
+        assert(checkAccessCalled, 'checkAccess should have been called');
+        done();
+      });
+  });
+});