Question

请有人帮助我吗？

我已经创建了一个管理员用户和一个简单的用户，管理员可以做任何事情，但是我尝试使用他自己的经过身份验证的令牌编辑简单用户，并且我每次都未经授权获取，发布，放置或删除，这里是我的user.json：

{
"name": "User",
"properties": {
"realm": {
"type": "string"
},
"username": {
"type": "string"
},
"realName": {
"type": "string",
"required": true
},
"timezone": {
"type": "string",
"required": false
},
"language": {
"type": "string",
"required": false
},
"password": {
"type": "string",
"required": true
},
"credentials": {
"type": "object",
"deprecated": true
},
"challenges": {
"type": "object",
"deprecated": true
},
"email": {
"type": "string",
"required": true
},
"ownerId": {
"type": "number",
"required": true
},
"emailVerified": "boolean",
"verificationToken": "string",
"status": "boolean",
"created": "date",
"lastUpdated": "date"
},
"hidden": ["password"],
"acls": [
{
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "DENY"
},
{
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW",
"property": "create"
},
{
"principalType": "ROLE",
"principalId": "$owner",
"permission": "ALLOW",
"property": "deleteById"
},
{
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW",
"property": "login"
},
{
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW",
"property": "logout"
},
{
"principalType": "ROLE",
"principalId": "$owner",
"permission": "ALLOW",
"property": "findById"
},
{
"principalType": "ROLE",
"principalId": "$owner",
"permission": "ALLOW",
"property": "upsert"
},
{
"principalType": "ROLE",
"principalId": "$owner",
"permission": "ALLOW",
"property": "updateAttributes"
},
{
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW",
"property": "activation"
},
{
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW",
"property": "confirm"
},
{
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW",
"property": "resetPassword",
"accessType": "EXECUTE"
}
],
"relations": {
"accessTokens": {
"type": "hasMany",
"model": "AccessToken",
"foreignKey": "userId",
"options": {
"disableInclude": true
}
}
}
}

Answer 1

您是否打算覆盖基本用户模型？如果是这样，您应该将其命名为MyUser，并将基数设置为＆＃34; User＆＃34;。在server / model-config.json中，设置＆＃34; public＆＃34;对于＆＃34;用户＆＃34;为false对于＆＃34; MyUser＆＃34;。

Answer 2

好的，让我们解释一下解决方案。

使用安全性调试命令行，我可以看到Loopback如何解析权限：

# DEBUG=loopback:security:role node .
loopback:security:role isInRole(): $everyone +0ms
  loopback:security:role Custom resolver found for role $everyone +1ms
  loopback:security:role isInRole(): $owner +0ms
  loopback:security:role Custom resolver found for role $owner +0ms
  loopback:security:role isOwner(): User 11 userId: 11 +1ms
  loopback:security:role Model found: {"realm":null,"username":"...","id":11} +4ms
  loopback:security:role No matching belongsTo relation found for model "11" and user: 11 +1ms

使用这些数据我创建了一个名为＆＃34; userId＆＃34;的字段。在User表中，并将belongsTo指令指向它自己的文件（user.json）中的该字段。

"user": {
      "type": "belongsTo",
      "model": "User",
      "foreignKey": "userId"
    }

现在，用户11可以编辑您自己的个人资料，但无法查看或更改任何其他用户注册。

它不是一个漂亮的解决方案，实际上loopback应该在ACL逻辑中有这个自我相关的指令，但是它可以工作。

此致

用户无法在LoopBackJS中访问或编辑自己

2 个答案: