you can controlled deep populate from rule.populateWhitelist
rule example:
constoptions= { Model, paginate, whitelist:'$populate', serviceRules: [// rule example that allow the user to populate posts and post tags { actions: ['read'], populateWhitelist: ['post','post.tags'] },// rule example that allow the user to populate and post tags but select only the tag name { actions: ['read'], populateWhitelist: ['post', {path:'post.tags', select: ['name']}] }, ], };
const {callingParamsPersistUser} =require('feathers-mongoose-casl');// We use callingParamsPersistUser to persist user abilities when the request call from the server// in this user get response with the populate post, and each tag inside the post will be populate but he// will get only the name fields// user will not be populate , it is now allowed by the populateWhitelistconstres=awaitcontext.app.service('some-service').find(callingParamsPersistUser(context.params, { query: {'$populate': [{ path:'post','populate': { path:'tags', select:'name, rating' } },'user' ] }}));
Important - security issue in version before 1.9.0
When you enable $populate your service is not full secure,
for now we did't handle security for populate as object,
for example: