Remote hooks called before ACL rules are applied

[kortac]

Right now ACLs are called after before remote hook. That means this stack of calls:

1. Before remote Hook
2. ACL
3. Remote method
4. After remote hook
   I'd expect ACLs to be checked prior calling before remote hooks and not the other way round.

Example:

Event.beforeRemote("prototype.__unlink__guests", function(ctx, modelInstance, next){
    console.log("before remote hook");
    next();
});

with this ACL

{
  "accessType": "*",
  "principalType": "ROLE",
  "principalId": "$everyone",
  "permission": "DENY",
  "property": "__unlink__guests"
}

Even though the Loopback explorer displays a 401 error, the console displays "before remote hook". In my opinion, this should not be the case.

[raymondfeng]

@ritch ACL check is done from one of the remote hooks. Can we ensure it's called before any other remote hooks?

[ritch]

If you create the hook after boot it should run in the expected order.

[fabien]

@raymondfeng @ritch I think the expected behavior would be to have the ACL check be the first call in the stack. Or at least it should be configurable to work that way. It has some pretty serious implications, if you're not aware of this right now!

[fabien]

@raymondfeng @ritch I strongly believe this should be fixed ASAP. Any before remote hook defined at the models/model.js or mixin level will just execute the before hook without any regard to ACL checks. This is a security disaster waiting to happen.

[ritch]

@fabien agreed. I've implemented this as both a new feature (a new authorization hook) and a fix (ensuring we use this hook instead of adding blindly as a remotes.before() hook).

See #1370

[fabien]

@ritch thanks!

[ritch]

@Toreader @fabien fixed @ 2.17.3