MLab和Loopback ACL - 有很多(POST)

时间:2016-12-12 21:57:32

标签: node.js mongodb acl loopbackjs mlab

我对node.js / mlab很新,我试图找出我的ACL。

我有两种模式,歌曲和帐户。

我创建了一个帐户和歌曲之间有很多关系,其中一个帐户有很多名为收藏的歌曲。 

"relations": {
   "favorites": {
     "type": "hasMany",
     "model": "Song",
     "foreignKey": ""
   }
 }

我想要设置ACL的方式是只有管理员才能创建新歌曲,但经过身份验证的任何人都可以将歌曲添加到他们的收藏夹中。

我有一个端点(id = userId,它也需要一个令牌):

/Accounts/{id}/favorites

问题是,每当我尝试POST到此端点时,我都会得到:

http://0.0.0.0:3000/api/Accounts/584e6ed148d44a6c1e53c1a3/favorites 401 (Unauthorized)

对于歌曲,当前的ACL为:

  "acls": [
    {
      "accessType": "*",
      "principalType": "ROLE",
      "principalId": "administrator",
      "permission": "ALLOW"
    },
    {
      "accessType": "*",
      "principalType": "ROLE",
      "principalId": "$everyone",
      "permission": "DENY"
    },
    {
      "accessType": "READ",
      "principalType": "ROLE",
      "principalId": "$everyone",
      "permission": "ALLOW"
    }]

对于Accounts,当前的ACL为:

"acls": [
    {
      "accessType": "EXECUTE",
      "principalType": "ROLE",
      "principalId": "$authenticated",
      "permission": "ALLOW",
      "property": "POST"
    }
  ]

我跟踪过它:

  loopback:security:role isInRole(): $everyone +0ms
  loopback:security:access-context ---AccessContext--- +2ms
  loopback:security:access-context principals: +1ms
  loopback:security:access-context principal: {"type":"USER","id":"584e6ed148d44a6c1e53c1a3"} +0ms
  loopback:security:access-context modelName Account +1ms
  loopback:security:access-context modelId 584e6ed148d44a6c1e53c1a3 +0ms
  loopback:security:access-context property __create__favorites +0ms
  loopback:security:access-context method __create__favorites +0ms
  loopback:security:access-context accessType WRITE +0ms
  loopback:security:access-context accessToken: +0ms
  loopback:security:access-context   id "QD2gi3uUr7g07EN7NhCbeSeyKT4AEZGWUoQQB9V0siFzgBOiPM1WOAkLhvxHCQGq" +0ms
  loopback:security:access-context   ttl 1209600 +0ms
  loopback:security:access-context getUserId() 584e6ed148d44a6c1e53c1a3 +0ms
  loopback:security:access-context isAuthenticated() true +0ms
  loopback:security:role Custom resolver found for role $everyone +0ms
  loopback:security:acl The following ACLs were searched:  +1ms
  loopback:security:acl ---ACL--- +1ms
  loopback:security:acl model Account +0ms
  loopback:security:acl property * +0ms
  loopback:security:acl principalType ROLE +0ms
  loopback:security:acl principalId $everyone +0ms
  loopback:security:acl accessType * +0ms
  loopback:security:acl permission DENY +0ms
  loopback:security:acl with score: +0ms 7495
  loopback:security:acl ---Resolved--- +0ms
  loopback:security:access-context ---AccessRequest--- +0ms
  loopback:security:access-context  model Account +0ms
  loopback:security:access-context  property __create__favorites +0ms
  loopback:security:access-context  accessType WRITE +0ms
  loopback:security:access-context  permission DENY +1ms
  loopback:security:access-context  isWildcard() false +0ms
  loopback:security:access-context  isAllowed() false +0ms

谢谢!

1 个答案:

答案 0 :(得分:1)

知道了!必须为特定属性设置访问权限,因为默认是拒绝访问。

{
      "accessType": "EXECUTE",
      "principalType": "ROLE",
      "principalId": "$owner",
      "permission": "ALLOW",
      "property": "__create__favorites"
    },
    {
      "accessType": "EXECUTE",
      "principalType": "ROLE",
      "principalId": "$owner",
      "permission": "ALLOW",
      "property": "__get__favorites"
    }
相关问题
最新问题