diff --git a/lib/application.js b/lib/application.js index 590c6584..e61e1aa2 100644 --- a/lib/application.js +++ b/lib/application.js @@ -295,7 +295,8 @@ app.enableAuth = function() { var remotes = this.remotes(); var app = this; - remotes.before('**', function(ctx, next, method) { + remotes.authorization = function(ctx, next) { + var method = ctx.method; var req = ctx.req; var Model = method.ctor; var modelInstance = ctx.instance; @@ -354,7 +355,7 @@ app.enableAuth = function() { } else { next(); } - }); + }; this.isAuthEnabled = true; }; diff --git a/test/acl.test.js b/test/acl.test.js index 6b3e32e3..d8706eec 100644 --- a/test/acl.test.js +++ b/test/acl.test.js @@ -356,3 +356,42 @@ describe('security ACLs', function() { }); }); }); + +describe('access check', function() { + var app; + before(function() { + app = loopback(); + app.use(loopback.rest()); + app.enableAuth(); + app.dataSource('test', {connector: 'memory'}); + }); + + it('should occur before other remote hooks', function(done) { + var MyTestModel = app.model('MyTestModel', {base: 'PersistedModel', dataSource: 'test'}); + var checkAccessCalled = false; + var beforeHookCalled = false; + + // fake / spy on the checkAccess method + MyTestModel.checkAccess = function() { + var cb = arguments[arguments.length - 1]; + checkAccessCalled = true; + var allowed = true; + cb(null, allowed); + }; + + MyTestModel.beforeRemote('find', function(ctx, next) { + // ensure this is called after checkAccess + if (!checkAccessCalled) return done(new Error('incorrect order')); + beforeHookCalled = true; + next(); + }); + + request(app) + .get('/MyTestModels') + .end(function(err, result) { + assert(beforeHookCalled, 'the before hook should be called'); + assert(checkAccessCalled, 'checkAccess should have been called'); + done(); + }); + }); +});