salix/back/models/notificationSubscription.js

const UserError = require('vn-loopback/util/user-error');

module.exports = Self => {
    require('../methods/notification/getList')(Self);

    Self.observe('before save', async function(ctx) {
        await checkModifyPermission(ctx);
    });

    Self.observe('before delete', async function(ctx) {
        await checkModifyPermission(ctx);
    });

    async function checkModifyPermission(ctx) {
        const models = Self.app.models;
        const instance = ctx.instance;
        const userId = ctx.options.accessToken.userId;

        let notificationFk;
        let workerId;

        if (instance) {
            notificationFk = instance.notificationFk;
            workerId = instance.userFk;
        } else {
            const notificationSubscription = await models.NotificationSubscription.findById(ctx.where.id);
            notificationFk = notificationSubscription.notificationFk;
            workerId = notificationSubscription.userFk;
        }

        const worker = await models.Worker.findById(workerId, {fields: ['id', 'bossFk']});
        const notificationsAvailables = await models.NotificationSubscription.getList(workerId);
        const hasAcl = notificationsAvailables.some(available => available.notificationFk === notificationFk);

        if (!hasAcl || (userId != worker.id && userId != worker.bossFk))
            throw new UserError('The notification subscription of this worker cant be modified');
    }
};