Loopback - 具有“hasMany”关系的$ owner角色

时间:2015-08-11 20:43:18

标签: node.js acl loopbackjs

我一直在阅读有关角色的环回文档。他们陈述如下:

  

要限定$ owner,目标模型需要拥有belongsTo   与用户模型(或模型从用户扩展)和属性的关系   匹配目标模型实例的外键。检查   $ owner仅针对具有':id'的远程方法执行   路径,例如,GET / api / users /:id。

然而,当我有一个“hasMany”关系并希望对某个对象执行某个操作时会发生什么:

PUT myusers/123/news/456

这将是我的user.json:

{
  "name": "MyUser",
  "plural": "myusers",
  "base": "User",
  "idInjection": true,
  "options": {
    "validateUpsert": true
  },
  "properties": {},
  "validations": [],
  "relations": {
    "news": {
      "type": "hasMany",
      "model": "News",
      "foreignKey": ""
    }
  },
  "acls": [],
  "methods": []
}

1 个答案:

答案 0 :(得分:4)

基于thisthisthis。我已将MyUser实体更改为Writer实体,因为我喜欢它。

由于Writer实体有很多NewsNews关系和ACL应该是这样的(news.json)。

"relations": {
  "writer": {
    "type":"belongsTo",
    "model":"Writer",
    "foreignKey":"writer_id"
  }
},
"acls": [
  { // Nobody has access to nothing
    "accessType": "*",
    "principalType": "ROLE",
    "principalId": "$everyone",
    "permission": "DENY"
  },
  { // But everyone can read everything
    "accessType": "READ",
    "principalType": "ROLE",
    "principalId": "$everyone",
    "permission": "ALLOW"
  },
  { // And authenticated users can create news
    "accessType": "EXECUTE",
    "principalType": "ROLE",
    "principalId": "$authenticated",
    "permission": "ALLOW",
    "property": "create"
  },
  { // And the owner of a news can update it
    "accessType": "WRITE",
    "principalType": "ROLE",
    "principalId": "$owner",
    "permission": "ALLOW"
  }
],

Writer实体具有相同的ACL规则,但这种关系(writer.json

"relations": {
  "news": {
    "type": "hasMany",
    "model": "News",
    "foreignKey": "writer_id"
  }
}

这里真正发生的是,当您创建Writer时,您必须指定emailpassword,因为他继承自User模型。所以如果你想要执行

PUT writers/123/news/456

您必须记录的Writer可以在此端点中完成:/api/writers/loginemail+password)。如果您的标头,网址或表单上有Writer令牌,此端点将为您提供News令牌,然后您就可以在$owner上执行更新。

另一方面,您还可以获取正在执行HTTP Request的用户,并将该用户的新闻所有者设为hook

希望它有所帮助。问候。