V8 field level security

From DreamFactory
Jump to: navigation, search
DreamFactoryTutorialsV8 field level security
Line 4: Line 4:
 
// get.post_process
 
// get.post_process
  
var lodash = require('lodash.min.js');
+
// check for your special role name that allows access
  
lodash._.each(event.response.content.resource, function (record) {
+
if (platform.sesssion.role.name !== 'admin') {
  
     if (platform.sesssion.role.name !== 'admin') {
+
     var lodash = require('lodash.min.js');
  
         if (record.tax_identifier) {
+
    lodash._.each(event.response.content.resource, function (record) {
 +
 
 +
         if (record.hasOwnProperty('tax_identifier')) {
 
             delete record.tax_identifier;
 
             delete record.tax_identifier;
 
         }
 
         }
   
+
 
         if (record.date_of_birth) {
+
         if (record.hasOwnProperty('date_of_birth')) {
 
             delete record.date_of_birth;
 
             delete record.date_of_birth;
 
         }
 
         }
     }
+
     });
});
+
}
 
</source>
 
</source>

Revision as of 18:50, 29 June 2016

Always remove some fields depending on the current role. API call returns 'tax_identifier' and 'date_of_birth' from the database. Before returning JSON content to the client, remove tax_identifier and date_of_birth. For this change to take effect you have to enable modification of response in admin console script editor. Checkbox label is 'Allow script to modify request (pre-process) or response (post-process)'.

// get.post_process
 
// check for your special role name that allows access
 
if (platform.sesssion.role.name !== 'admin') {
 
    var lodash = require('lodash.min.js');
 
    lodash._.each(event.response.content.resource, function (record) {
 
        if (record.hasOwnProperty('tax_identifier')) {
            delete record.tax_identifier;
        }
 
        if (record.hasOwnProperty('date_of_birth')) {
            delete record.date_of_birth;
        }
    });
}