LoopBack ACL with $owner

Book.json

{
  "name": "Book",
  "base": "PersistedModel",
  "idInjection": true,
  "properties": {
    "title": {
      "type": "string",
      "required": true
    },
    "value": {
      "type": [
        "object"
      ],
      "required": true
    }
  },
  "validations": [],
  "relations": {
    "member": {
      "type": "belongsTo",
      "model": "Member",
      "foreignKey": "memberId"
    }
  },
  "acls": [
    {
      "accessType": "*",
      "principalType": "ROLE",
      "principalId": "$owner",
      "permission": "ALLOW"
    }
  ],
  "methods": []
}

Member.json

{
  "name": "Member",
  "base": "User",
  "idInjection": true,
  "properties": {},
  "validations": [],
  "relations": {
    "books": {
      "type": "hasMany",
      "model": "Book",
      "foreignKey": "memberId"
    }
  },
  "acls": [],
  "methods": []
}

So a Member has many Books. With this setup I can GET /books for ALL users with an access token for User-1 even though User-1 is only an "owner" of a few books with the relationship setup through "memberId". Unless I am understanding how ACLs and Relationships wrong.

GET /members/ID/books also throws a 401 even with a legit access token with or without ALCs set. However, GET /books works fine.

I thought that when posting with an access token that would get translated and automatically used on all the CRUD methods.

So if I had a access token XXX that was for Member with ID: 5 then...

POST /books -H 'Authorization: XXX' -d '{ "title": "Book Title" } would create a book that looks like { "id": 1, "memberId": 5, "title": "Book Title" }

Then if I were to perform GET /books -H 'Authorization: XXX' I would get ONLY the books with "memberId": 5 since they were the owner of the object and created it initially with their own access token.