与环回ACL

时间:2019-06-13 05:41:20

标签: node.js mongodb authentication loopbackjs acl

我只能访问create of admin models访问令牌来访问admin。添加了ACL,但仍可以使用用户角色为USER

的用户令牌创建admin
{
"_id" : ObjectId("5d01de6a65f3a121b8c25dbd"),
"principalType" : "USER",
"principalId" : "5d01de6a65f3a121b8c25dbc",
"roleId" : ObjectId("5cf8f99b0f8835f69ef14946")
},
{
"_id" : ObjectId("5d01de4a450c1553b68741fc"),
"principalType" : "USER",
"principalId" : "5d01de49450c1553b68741fb",
"roleId" : ObjectId("5cf8f9b20f8835f69ef14947")
}

Role模型

{
"_id" : ObjectId("5cf8f99b0f8835f69ef14946"),
"name" : "USER",
"description" : "user",
"created" : ISODate("2019-06-06T11:31:13.003Z"),
"modified" : ISODate("2019-06-06T11:31:13.003Z")
},
{
"_id" : ObjectId("5cf8f9b20f8835f69ef14947"),
"name" : "admin",
"description" : "admin",
"created" : ISODate("2019-06-06T11:31:55.479Z"),
"modified" : ISODate("2019-06-06T11:31:55.479Z")
}

Admin.json

"acls": [
    {
        "accessType": "*",
        "principalType": "ROLE",
        "principalId": "$everyone",
        "permission": "DENY"
    },
    {
        "accessType": "EXECUTE",
        "principalType": "ROLE",
        "principalId": "admin",
        "permission": "ALLOW",
        "property": "create"
    }
]

0 个答案:

没有答案