From 9cde2a45be91c5049cea2c3b6a50db3f11faf7b2 Mon Sep 17 00:00:00 2001
From: Ritchie Martori <skawful@gmail.com>
Date: Wed, 6 May 2015 13:51:14 -0700
Subject: [PATCH] Use the new remoting.authorization hook for check access

---
 lib/application.js |  5 +++--
 test/acl.test.js   | 39 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/lib/application.js b/lib/application.js
index 590c6584..e61e1aa2 100644
--- a/lib/application.js
+++ b/lib/application.js
@@ -295,7 +295,8 @@ app.enableAuth = function() {
   var remotes = this.remotes();
   var app = this;
 
-  remotes.before('**', function(ctx, next, method) {
+  remotes.authorization = function(ctx, next) {
+    var method = ctx.method;
     var req = ctx.req;
     var Model = method.ctor;
     var modelInstance = ctx.instance;
@@ -354,7 +355,7 @@ app.enableAuth = function() {
     } else {
       next();
     }
-  });
+  };
 
   this.isAuthEnabled = true;
 };
diff --git a/test/acl.test.js b/test/acl.test.js
index 6b3e32e3..d8706eec 100644
--- a/test/acl.test.js
+++ b/test/acl.test.js
@@ -356,3 +356,42 @@ describe('security ACLs', function() {
     });
   });
 });
+
+describe('access check', function() {
+  var app;
+  before(function() {
+    app = loopback();
+    app.use(loopback.rest());
+    app.enableAuth();
+    app.dataSource('test', {connector: 'memory'});
+  });
+
+  it('should occur before other remote hooks', function(done) {
+    var MyTestModel = app.model('MyTestModel', {base: 'PersistedModel', dataSource: 'test'});
+    var checkAccessCalled = false;
+    var beforeHookCalled = false;
+
+    // fake / spy on the checkAccess method
+    MyTestModel.checkAccess = function() {
+      var cb = arguments[arguments.length - 1];
+      checkAccessCalled = true;
+      var allowed = true;
+      cb(null, allowed);
+    };
+
+    MyTestModel.beforeRemote('find', function(ctx, next) {
+      // ensure this is called after checkAccess
+      if (!checkAccessCalled) return done(new Error('incorrect order'));
+      beforeHookCalled = true;
+      next();
+    });
+
+    request(app)
+      .get('/MyTestModels')
+      .end(function(err, result) {
+        assert(beforeHookCalled, 'the before hook should be called');
+        assert(checkAccessCalled, 'checkAccess should have been called');
+        done();
+      });
+  });
+});