const UserError = require('vn-loopback/util/user-error'); module.exports = Self => { Self.observe('before save', async function(ctx) { const models = Self.app.models; const userId = ctx.options.accessToken.userId; const user = await ctx.instance.userFk; const modifiedUser = await getUserToModify(user, models); if (userId == modifiedUser.id || userId == modifiedUser.bossFk) return; else throw new UserError('You dont have permission to modify this user'); }); Self.remoteMethod('deleteNotification', { description: 'Gets the current user data', accepts: [ { arg: 'ctx', type: 'object', http: {source: 'context'} }, { arg: 'userId', type: 'string' }, { arg: 'notificationId', type: 'number' }, { arg: 'authorId', type: 'number' } ], returns: { type: 'object', root: true }, http: { verb: 'POST', path: '/deleteNotification' } }); Self.deleteNotification = async function(ctx) { const models = Self.app.models; const user = await ctx.args.authorId; const notificationId = await ctx.args.notificationId; const userId = await ctx.args.userId; const modifiedUser = await getUserToModify(userId, models); if (user == modifiedUser.id || modifiedUser.bossFk == user) { const query = `DELETE FROM util.notificationSubscription WHERE notificationFk = ? AND userFk = ?`; await Self.rawSql(query, [notificationId, userId]); return; } else throw new UserError('You dont have permission to modify this user'); }; async function getUserToModify(user, models) { return await models.Worker.findOne({ fields: ['id', 'bossFk'], where: { id: user } }); } };