JS20 - Documentation

Bypass ACL

Sometimes you need to bypass ACL checks. For example, if you need an action that calculates reviews for a book based on reviews from all users and not just the logged-in user.

const updateAverageRating = app.action({
    inputSchema: Schema.withInstance(sBook),
    outputSchema: sMessage,
    run: async (system, input) => {
        // Get all reviews for the book, bypassing ACL rules
        const reviews = await system.bypassAcl.models.review.getAll({
            bookId: input.id,
        });

        if (!reviews.length) {
            return { 
                message: 'No reviews found for book'
            };
        }

        const sum = reviews.reduce((acc, r: any) => acc + Number(r.stars || 0), 0);
        const avg = sum / reviews.length;

        await system.models.book.updateById(input.id, {
            averageRating: Math.round(avg),
        });

        return { 
            message: `Updated average rating to ${Math.round(avg)}`
        };
    }
});

If you run:

await system.models.review.getAll();

// Query will be
// SELECT * FROM reviews WHERE ownerId = :userId

If you instead run:

await system.bypassAcl.models.review.getAll();

// Query will be
// SELECT * FROM reviews

This way you can bypass ACL checks when needed. Obviously, be careful when using this feature, as it can lead to problems if used incorrectly.