vietkute02/installation.js

## installation.js
// ...

function checkBelongsTo(installationId, userId, cb) {
    Installation.findById(installationId, function (err, inst) {
        cb(err, !err && inst && inst.userId == userId);
    });
}

var ERR_403 = new Error("Forbidden");
    ERR_403.status = ERR_403.statusCode = 403;

// prevent users from creating installations for foreign accounts
Installation.beforeRemote('create', function(ctx, ign, next) {
    ctx.req.body.userId = ctx.req.accessToken.userId;
    next();
});

// prevent users from changing the userId of their own installations
// prevent users from changing foreign installations
Installation.beforeRemote('prototype.updateAttributes', function(ctx, ign, next) {
    var currentUserId = ctx.req.accessToken.userId;
    ctx.req.body.userId = currentUserId;
    var installationId = ctx.req.params.id;
    if (installationId) {
        checkBelongsTo(installationId, currentUserId,
            function(err, belongsToCurrentUser) {
                next(err || (!belongsToCurrentUser ? ERR_403 : null));
            });
    } else {
        next();
    }
});

// ...

## installation.json
 ...

"acls": [
    {
        "accessType": "*",
        "principalType": "ROLE",
        "principalId": "$everyone",
        "permission": "DENY"
    },
    {
        "accessType": "WRITE",
        "principalType": "ROLE",
        "principalId": "$authenticated",
        "permission": "ALLOW",
        "property": "create"
    },
    {
        "accessType": "EXECUTE",
        "principalType": "ROLE",
        "principalId": "$authenticated",
        "permission": "ALLOW",
        "property": "updateAttributes"
    }
],

...
	// ...

	function checkBelongsTo(installationId, userId, cb) {
	Installation.findById(installationId, function (err, inst) {
	cb(err, !err && inst && inst.userId == userId);
	});
	}

	var ERR_403 = new Error("Forbidden");
	ERR_403.status = ERR_403.statusCode = 403;

	// prevent users from creating installations for foreign accounts
	Installation.beforeRemote('create', function(ctx, ign, next) {
	ctx.req.body.userId = ctx.req.accessToken.userId;
	next();
	});

	// prevent users from changing the userId of their own installations
	// prevent users from changing foreign installations
	Installation.beforeRemote('prototype.updateAttributes', function(ctx, ign, next) {
	var currentUserId = ctx.req.accessToken.userId;
	ctx.req.body.userId = currentUserId;
	var installationId = ctx.req.params.id;
	if (installationId) {
	checkBelongsTo(installationId, currentUserId,
	function(err, belongsToCurrentUser) {
	next(err \|\| (!belongsToCurrentUser ? ERR_403 : null));
	});
	} else {
	next();
	}
	});

	// ...
	...

	"acls": [
	{
	"accessType": "*",
	"principalType": "ROLE",
	"principalId": "$everyone",
	"permission": "DENY"
	},
	{
	"accessType": "WRITE",
	"principalType": "ROLE",
	"principalId": "$authenticated",
	"permission": "ALLOW",
	"property": "create"
	},
	{
	"accessType": "EXECUTE",
	"principalType": "ROLE",
	"principalId": "$authenticated",
	"permission": "ALLOW",
	"property": "updateAttributes"
	}
	],

	...