请有人帮助我吗?
我已经创建了一个管理员用户和一个简单的用户,管理员可以做任何事情,但是我尝试使用他自己的经过身份验证的令牌编辑简单用户,并且我每次都未经授权获取,发布,放置或删除,这里是我的user.json:
{
"name": "User",
"properties": {
"realm": {
"type": "string"
},
"username": {
"type": "string"
},
"realName": {
"type": "string",
"required": true
},
"timezone": {
"type": "string",
"required": false
},
"language": {
"type": "string",
"required": false
},
"password": {
"type": "string",
"required": true
},
"credentials": {
"type": "object",
"deprecated": true
},
"challenges": {
"type": "object",
"deprecated": true
},
"email": {
"type": "string",
"required": true
},
"ownerId": {
"type": "number",
"required": true
},
"emailVerified": "boolean",
"verificationToken": "string",
"status": "boolean",
"created": "date",
"lastUpdated": "date"
},
"hidden": ["password"],
"acls": [
{
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "DENY"
},
{
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW",
"property": "create"
},
{
"principalType": "ROLE",
"principalId": "$owner",
"permission": "ALLOW",
"property": "deleteById"
},
{
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW",
"property": "login"
},
{
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW",
"property": "logout"
},
{
"principalType": "ROLE",
"principalId": "$owner",
"permission": "ALLOW",
"property": "findById"
},
{
"principalType": "ROLE",
"principalId": "$owner",
"permission": "ALLOW",
"property": "upsert"
},
{
"principalType": "ROLE",
"principalId": "$owner",
"permission": "ALLOW",
"property": "updateAttributes"
},
{
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW",
"property": "activation"
},
{
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW",
"property": "confirm"
},
{
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW",
"property": "resetPassword",
"accessType": "EXECUTE"
}
],
"relations": {
"accessTokens": {
"type": "hasMany",
"model": "AccessToken",
"foreignKey": "userId",
"options": {
"disableInclude": true
}
}
}
}
答案 0 :(得分:0)
您是否打算覆盖基本用户模型?如果是这样,您应该将其命名为MyUser,并将基数设置为" User"。在server / model-config.json中,设置" public"对于"用户"为false对于" MyUser"。
答案 1 :(得分:0)
好的,让我们解释一下解决方案。
使用安全性调试命令行,我可以看到Loopback如何解析权限:
# DEBUG=loopback:security:role node .
loopback:security:role isInRole(): $everyone +0ms
loopback:security:role Custom resolver found for role $everyone +1ms
loopback:security:role isInRole(): $owner +0ms
loopback:security:role Custom resolver found for role $owner +0ms
loopback:security:role isOwner(): User 11 userId: 11 +1ms
loopback:security:role Model found: {"realm":null,"username":"...","id":11} +4ms
loopback:security:role No matching belongsTo relation found for model "11" and user: 11 +1ms
使用这些数据我创建了一个名为" userId"的字段。在User表中,并将belongsTo指令指向它自己的文件(user.json)中的该字段。
"user": {
"type": "belongsTo",
"model": "User",
"foreignKey": "userId"
}
现在,用户11可以编辑您自己的个人资料,但无法查看或更改任何其他用户注册。
它不是一个漂亮的解决方案,实际上loopback应该在ACL逻辑中有这个自我相关的指令,但是它可以工作。
此致