我有一个类Room,其类级别为ACL public read/write。然后,每条记录都有一个记录级别ACL,其记录级别为<owner-user-id> r / w和role:Admin r / w。
碰巧,具有角色admin的用户只能读取“部分”会议室,即使他们都具有相同的ACL(仅更改用户ID),而他却无法读取“公共记录”。
奇怪的事实:如果我在没有任何sessionToken的情况下查询Room类,则会看到公共记录,但是如果我使用role:Admin用户的会话令牌,则看不到它们。
REST API和Javascript Client API都存在相同的问题。
这怎么可能?我缺少一些配置吗?
以下是“ role:Admin用户” cannot从mongodb中读取的会议室示例:
{
"_id" : "MZoIBY3zuo",
"xxx" : [],
"_p_home" : "Home$xxxxx",
"roomName" : "xxxxx",
"area" : null,
"height" : x,
"windows" : x,
"tempMin" : x,
"tempMax" : x,
"_wperm" : [
"CpcI4SOzE4",
"role:Admin",
"*"
],
"_rperm" : [
"CpcI4SOzE4",
"role:Admin",
"*"
],
"_acl" : {
"CpcI4SOzE4" : {
"w" : true,
"r" : true
},
"role:Admin" : {
"w" : true,
"r" : true
},
"*" : {
"w" : true,
"r" : true
}
},
"_created_at" : ISODate("2018-10-31T14:02:32.791Z"),
"_updated_at" : ISODate("2018-11-04T11:23:19.683Z")
}
{
"_id" : "BziFbnP1Ny",
"xxx" : [],
"_p_home" : "Home$pbqrrk1JVo",
"roomName" : "xxx2",
"area" : null,
"height" : 3,
"windows" : 2,
"tempMin" : 20,
"tempMax" : 23,
"_wperm" : [
"CpcI4SOzE4",
"role:Admin"
],
"_rperm" : [
"CpcI4SOzE4",
"role:Admin"
],
"_acl" : {
"CpcI4SOzE4" : {
"w" : true,
"r" : true
},
"role:Admin" : {
"w" : true,
"r" : true
}
},
"_created_at" : ISODate("2018-10-31T14:02:00.180Z"),
"_updated_at" : ISODate("2018-11-01T01:08:53.643Z")
}
在Room中,“角色:管理员用户” can读为:
{
"_id" : "pCzvLPWbYD",
"_p_home" : "Home$sYX5pMvUfe",
"roomName" : "xxx3",
"area" : null,
"height" : 3,
"windows" : 4,
"tempMin" : 21,
"tempMax" : 23,
"_wperm" : [
"TgNwD80kcR",
"role:Admin"
],
"_rperm" : [
"TgNwD80kcR",
"role:Admin"
],
"_acl" : {
"TgNwD80kcR" : {
"w" : true,
"r" : true
},
"role:Admin" : {
"w" : true,
"r" : true
}
},
"_created_at" : ISODate("2018-10-12T15:09:55.244Z"),
"_updated_at" : ISODate("2018-11-04T10:43:57.607Z"),
"xxx" : [],
"xxxx" : {}
}
角色
> db.getCollection('_Role').find()
{ "_id" : "Y0Y3xg3Tij", "_rperm" : [ "role:Redactor" ], "_wperm" : [ ], "_acl" : { "role:Redactor" : { "r" : true } }, "name" : "Redactor", "_updated_at" : ISODate("2017-12-01T09:05:59.306Z"), "_created_at" : ISODate("2016-10-17T16:07:27.186Z") }
{ "_id" : "CGuF9CgXjs", "name" : "Admin", "_wperm" : [ ], "_rperm" : [ "role:Admin" ], "_acl" : { "role:Admin" : { "r" : true } }, "_created_at" : ISODate("2017-12-01T09:05:07.986Z"), "_updated_at" : ISODate("2017-12-01T09:07:25.473Z") }
与角色关联的用户:
> db.getCollection('_Join:users:_Role').find()
{ "_id" : ObjectId("5a211bcdbd15be8e7457a263"), "owningId" : "CGuF9CgXjs", "relatedId" : "yHhVd7yybE" }
{ "_id" : ObjectId("5a211bcdbd15be8e7457a264"), "owningId" : "CGuF9CgXjs", "relatedId" : "OAhrAzI7HV" }
管理员用户:
> db.getCollection('_User').find({username: 'XXX'})
{ "_id" : "yHhVd7yybE", "utcTime" : ISODate("2017-09-16T09:45:23.225Z"), "username" : "XXX", "email" : "xxxx", "_hashed_password" : "xxxxxxx", "_wperm" : [ "yHhVd7yybE" ], "_rperm" : [ "*", "yHhVd7yybE" ], "_acl" : { "yHhVd7yybE" : { "w" : true, "r" : true }, "*" : { "r" : true } }, "_created_at" : ISODate("2017-09-16T09:41:16.941Z"), "_updated_at" : ISODate("2018-09-28T21:41:31.740Z"), "_p_linkedHome" : "Home$R0H3ObzmMC", "location" : "Zurich" }
房间架构:
{
"_id" : "Room",
"objectId" : "string",
"updatedAt" : "string",
"createdAt" : "string",
"roomName" : "string",
"tempMin" : "number",
"tempMax" : "number",
"area" : "number",
"height" : "number",
"windows" : "number",
"home" : "*Home",
"data" : "array",
"xxxxx" : "array",
"xxx" : "array",
"_metadata" : {
"class_permissions" : {
"get" : {
"*" : true,
"role:Admin" : true
},
"find" : {
"*" : true,
"role:Admin" : true
},
"create" : {
"*" : true,
"role:Admin" : true
},
"update" : {
"*" : true,
"role:Admin" : true
},
"delete" : {
"*" : true,
"role:Admin" : true
},
"addField" : {
"*" : true,
"role:Admin" : true
}
},
"indexes" : {
"_id_" : {
"_id" : 1
}
}
},
"xxxx" : "object"
}
答案 0 :(得分:0)
我天哪,我发现了问题。实际上,我没有在客户端和REST API上正确设置查询上的limit,因此它返回的是最近的100个房间,而公共房间当然是最后一个创建的房间。非常愚蠢的错误:(