Hyperledger composer Access Control, allow create

Here is what I want to implement:

I want to allow user(kind of participant) to create an asset, but do it only in transaction, whereas outside of this transaction I want deny all user rights to create assets.

I tried to solve it using condition in rule .acl file using function:

rule UserCanCreateAssetOnlyInTransaction {
    description: "Deny all participants create access to all userWallets if not in transaction"
    participant(p): "com.example.User"
    operation: CREATE
    resource(r): "com.example.UserAsset"
    condition:(isInTransactionF())
    action: ALLOW 
}

Then in transaction I create variable as var isInTransaction = true;, and in logic.js file I added:

/**
@returns {boolean} boolean true/false
*/
function isInTransactionF(){
    if(isInTransaction){
      return true; 
    }else{
      return false;
    }   
}

It doesn't work, when I call the only transaction in which create access should work, it says that the user do not have create access to submit this transaction. I guess I'm doing something wrong, is there any way to solve this problem?

to achieve what you want in your function - you would say :

/**
@returns {boolean} boolean true/false
*/
function isInTransactionF() {
    var isInTransaction = true ;  // Boolean
    if(isInTransaction) {
    // if( Boolean(isInTransaction)) { // alternative
      return true; 
    } else{
      return false;
    }   
}

Your current ACL would then work.

I can call console.log to see the returned result

console.log("The return result is " + isInTransactionF() );`  // true

To restrict a participant to create an asset ONLY through a certain transaction class - the rule would look something like (ie the asset can only be created through this class - implicitly it should be denied elsewhere assuming there are no other Asset Create rules):

rule CreateAssetThruTxn {
    description: "sample""
    participant(p): "com.example.User"
    operation: CREATE
    resource(r): "com.example.UserAsset"
    transaction(tx): "com.example.AssetCreate"
    condition:(true)
    action: ALLOW 
}

If your ACL is failing, then you need to see what other ACL rules could be ALLOWING the creation of this asset through another means but the rule I provided would be the usual means to control that (based on the info you provided in the question)