you can controlled deep populate from rule.populateWhitelist
rule example:
const options = {
Model,
paginate,
whitelist: '$populate',
serviceRules: [
// rule example that allow the user to populate posts and post tags
{
actions: ['read'],
populateWhitelist: ['post', 'post.tags']
},
// rule example that allow the user to populate and post tags but select only the tag name
{
actions: ['read'],
populateWhitelist: ['post', {path: 'post.tags', select: ['name']}]
},
],
};
const {callingParamsPersistUser} = require('feathers-mongoose-casl');
// We use callingParamsPersistUser to persist user abilities when the request call from the server
// in this user get response with the populate post, and each tag inside the post will be populate but he
// will get only the name fields
// user will not be populate , it is now allowed by the populateWhitelist
const res = await context.app.service('some-service').find(callingParamsPersistUser(context.params, {
query: {
'$populate':
[{
path: 'post',
'populate': {
path: 'tags',
select: 'name, rating'
}
},
'user'
]
}
}));
Important - security issue in version before 1.9.0
When you enable $populate your service is not full secure,
for now we did't handle security for populate as object,
for example: