disable-remote-methods.js

// started from https://github.com/strongloop/loopback/issues/651

'use strict';

let _ = require('lodash');

module.exports = function (Model, options) {

	if(Model && Model.sharedClass) {
		let enableFromACLs = options.enableFromACLs === false? false: true;
		let enabledMethodsNames = options.enable || [];
		let disabledMethodsNames = options.disable || [];

		// wait for all models to be attached so sharedClass.methods() returns all methods
		Model.on('attached', function (server) {
			server.on('started', function () {

				if (enableFromACLs === true) {
					// add names of methods explicitly authorized by static ACLs to array of enabled methods names and remove duplicates
					enabledMethodsNames =  _.uniq( enabledMethodsNames.concat( getAclMethods(Model)));
				}

				// remove explicitly hidden methods
				if  (disabledMethodsNames.length) {
					enabledMethodsNames = _.difference(enabledMethodsNames, disabledMethodsNames);
				}

				// get all Model methods
				let allMethods = Model.sharedClass.methods();

				// compute final list of hidden methods names by substracting methods to enable from array of all methods
				disabledMethodsNames = _.differenceWith(allMethods, enabledMethodsNames, function (method, enabledMethodName) {
					return (method.name === enabledMethodName);
				});

				// extract methods names only and add prefix 'prototype.' to names of non static methods to disable
				disabledMethodsNames = disabledMethodsNames.map(function (method) {
					return method.isStatic? method.name: 'prototype.'+method.name;
				});

				if ( disabledMethodsNames.length ) {
					console.log( 'Model <%s> - Hidding remote methods: ', Model.modelName, disabledMethodsNames.join( ', ' ));
				}

				// disable remote methods from computed list
				disabledMethodsNames.map(Model.disableRemoteMethodByName, Model);
			});
		});
	}

	function getAclMethods (Model) {
		let authorizedMethods = [];
		let acls = Model.definition.settings.acls || [];

		acls.forEach((acl) => {
			if (acl.permission === 'ALLOW' && acl.property) {
				if (Array.isArray(acl.property)) {
					authorizedMethods = authorizedMethods.concat(acl.property);
				}
				else {
					authorizedMethods.push(acl.property);
				}
			}
		});

		return authorizedMethods;
	}

};

example.json

{
  "name": "Example",
  "base": "PersistentModel",
  "idInjection": true,
  "options": {
    "validateUpsert": true
  },
  "properties": {
    "name": {
      "type": "string",
      "required": true
    }
  },
  "validations": [],
  "relations": {},
  "acls": [],
  "methods": {},
  "mixins":{
    "DisableRemoteMethods":{
      "enableFromACLs": true, 
      "enable":["findById"],
      "disable":["create"]
    }
  }
}

index.js

'use strict';

var util = require('util');

var disableRemoteMethods = require('./disable-remote-methods');

module.exports = (0, util.deprecate) (
	function (app) { return app.loopback.modelBuilder.mixins.define('disableRemoteMethods', disableRemoteMethods);},
	'DEPRECATED: Use mixinSources, see https://github.com/.../loopback-import-mixin#mixinsources'
);