Comments (14)
raymondfeng
commented on August 18, 2024
Hi,
I debugged the issue. It seems that we pick the ‘DENY’ rule from the following acls:
{
"accessType": "",
"permission": "DENY",
"principalType": "ROLE",
"principalId": "$everyone"
},
{
"accessType": "",
"permission": "ALLOW",
"principalType": "ROLE",
"principalId": "$owner"
},
..
}
The algorithm we have try to weigh the matching rules. In this case, the ‘DENY’ one has higher score over the ‘ALLOW’ one. Intuitively, the ‘$owner’ role is more specific than the ‘$everyone’. I wonder if we should change the current algorithm to match it.
Thanks,
Raymond Feng
Co-Founder and Architect @ StrongLoop, Inc.
StrongLoop makes it easy to develop APIs in Node, plus get DevOps capabilities like monitoring, debugging and clustering.
On Mar 18, 2014, at 5:49 PM, Nico Prananta [email protected] wrote:
Hi,
I'm trying to wrap my head around loopback's ACL but I couldn't figure out why /users/:id/account is not accessible even when logged in user calls it. Keeps getting access denied.
/accounts/:id?access_token= also got access denied.
I thought since user belongs to account and account has acl:
{
"accessType": "*",
"permission": "ALLOW",
"principalType": "ROLE",
"principalId": "$owner"
}account can be accessed by the owner which is the user it is associated with.
Enlighten me, please
—
Reply to this email directly or view it on GitHub.
from loopback-example-access-control.
nicnocquee
commented on August 18, 2024
So how do you propose the solution to allow owner and deny everyone else?
from loopback-example-access-control.
raymondfeng
commented on August 18, 2024
I'll investigate the possibility to consider the roles to determine while rule is more specific. For example, say '$everyone' is wider that '$owner', then the rule for '$owner' will take precedence.
from loopback-example-access-control.
superkhau
commented on August 18, 2024
@raymondfeng is this good to close?
from loopback-example-access-control.
ryncorbeil-ssf
commented on August 18, 2024
What is the status of this issue please? It appears that the original behavior stated above ("It seems that we pick the ‘DENY’ rule from the following acls") is still in force. Thanks.
from loopback-example-access-control.
ryncorbeil-ssf
commented on August 18, 2024
If the issue has in fact been addressed, does any sample project exist?
What I would expect, would be that a user logged in would be able to 'find' only those model instances (records) that she created, and not any others. However the user 'finds' ALL records, even though she did not create. Am I not understanding the semantics of the $owner role?
Googleing, I found that it is necessary to create a 'belongsTo' relation, and explicitly create a property which serves as the foreignKey. When an instance is created, is the id of the 'owner' inserted as the foreign key automatically, or must the creator set that explicitly? I've tried the latter, with the following results... (Thanks in advance)
{
"name": "casinoUser",
"base": "User",
"strict": false,
"idInjection": true,
"options": {
"validateUpsert": true
},
"properties": {
"firstName": {
"type": "string",
"required": true
},
"lastName": {
"type": "string",
"required": true
},
"casinoId": {
"type": "string",
"required": true
},
"ownerId": {
"type": "string",
"required": true
}
},
"validations": [],
"relations": {
"casino": {
"type": "belongsTo",
"model": "casino",
"foreignKey": "casinoId"
},
"user": {
"type": "belongsTo",
"model": "User",
"roles": ["owner"],
"foreignKey": "ownerId"
}
},
"acls": [
{
"accessType": "",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "DENY"
},
{
"accessType": "",
"principalType": "ROLE",
"principalId": "admin",
"permission": "ALLOW"
},
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$owner",
"permission": "ALLOW"
}
],
"methods": {}
}
loopback:security:role isInRole(): $everyone +24s
loopback:security:access-context ---AccessContext--- +1ms
loopback:security:access-context principals: +1ms
loopback:security:access-context principal: {"type":"USER","id":"55fa0f3e2fe396f3155d9a0e"} +1ms
loopback:security:access-context modelName casinoUser +1ms
loopback:security:access-context modelId undefined +1ms
loopback:security:access-context property find +2ms
loopback:security:access-context method find +1ms
loopback:security:access-context accessType READ +4ms
loopback:security:access-context accessToken: +1ms
loopback:security:access-context id "LaghUTG5gOBYr4eOD7B6zxJxnIGElg3wzjmZLT2coFlrIg5UdMnmxppUwGT8i415" +0ms
loopback:security:access-context ttl 1209600 +1ms
loopback:security:access-context getUserId() 55fa0f3e2fe396f3155d9a0e +1ms
loopback:security:access-context isAuthenticated() true +1ms
loopback:security:role Custom resolver found for role $everyone +1ms
loopback:security:role isInRole(): $everyone +1ms
loopback:security:access-context ---AccessContext--- +1ms
loopback:security:access-context principals: +1ms
loopback:security:access-context principal: {"type":"USER","id":"55fa0f3e2fe396f3155d9a0e"} +0ms
loopback:security:access-context modelName casinoUser +1ms
loopback:security:access-context modelId undefined +0ms
loopback:security:access-context property find +1ms
loopback:security:access-context method find +0ms
loopback:security:access-context accessType READ +0ms
loopback:security:access-context accessToken: +1ms
loopback:security:access-context id "LaghUTG5gOBYr4eOD7B6zxJxnIGElg3wzjmZLT2coFlrIg5UdMnmxppUwGT8i415" +0ms
loopback:security:access-context ttl 1209600 +0ms
loopback:security:access-context getUserId() 55fa0f3e2fe396f3155d9a0e +0ms
loopback:security:access-context isAuthenticated() true +0ms
loopback:security:role Custom resolver found for role $everyone +1ms
loopback:security:role isInRole(): admin +0ms
loopback:security:access-context ---AccessContext--- +0ms
loopback:security:access-context principals: +1ms
loopback:security:access-context principal: {"type":"USER","id":"55fa0f3e2fe396f3155d9a0e"} +0ms
loopback:security:access-context modelName casinoUser +0ms
loopback:security:access-context modelId undefined +0ms
loopback:security:access-context property find +0ms
loopback:security:access-context method find +0ms
loopback:security:access-context accessType READ +0ms
loopback:security:access-context accessToken: +0ms
loopback:security:access-context id "LaghUTG5gOBYr4eOD7B6zxJxnIGElg3wzjmZLT2coFlrIg5UdMnmxppUwGT8i415" +0ms
loopback:security:access-context ttl 1209600 +0ms
loopback:security:access-context getUserId() 55fa0f3e2fe396f3155d9a0e +0ms
loopback:security:access-context isAuthenticated() true +0ms
loopback:security:role Custom resolver found for role admin +0ms
loopback:security:role isInRole(): $owner +0ms
loopback:security:access-context ---AccessContext--- +1ms
loopback:security:access-context principals: +0ms
loopback:security:access-context principal: {"type":"USER","id":"55fa0f3e2fe396f3155d9a0e"} +0ms
loopback:security:access-context modelName casinoUser +0ms
loopback:security:access-context modelId undefined +0ms
loopback:security:access-context property find +0ms
loopback:security:access-context method find +0ms
loopback:security:access-context accessType READ +0ms
loopback:security:access-context accessToken: +0ms
loopback:security:access-context id "LaghUTG5gOBYr4eOD7B6zxJxnIGElg3wzjmZLT2coFlrIg5UdMnmxppUwGT8i415" +0ms
loopback:security:access-context ttl 1209600 +0ms
loopback:security:access-context getUserId() 55fa0f3e2fe396f3155d9a0e +0ms
loopback:security:access-context isAuthenticated() true +0ms
loopback:security:role Custom resolver found for role $owner +0ms
loopback:security:acl The following ACLs were searched: +1ms
loopback:security:acl ---ACL--- +1ms
loopback:security:acl model casinoUser +0ms
loopback:security:acl property * +0ms
loopback:security:acl principalType ROLE +0ms
loopback:security:acl principalId admin +0ms
loopback:security:acl accessType * +0ms
loopback:security:acl permission ALLOW +0ms
loopback:security:acl with score: +0ms 7508
loopback:security:acl ---ACL--- +0ms
loopback:security:acl model casinoUser +0ms
loopback:security:acl property * +0ms
loopback:security:acl principalType ROLE +1ms
loopback:security:acl principalId $everyone +0ms
loopback:security:acl accessType * +0ms
loopback:security:acl permission DENY +0ms
loopback:security:acl with score: +0ms 7495
loopback:security:acl ---ACL--- +0ms
loopback:security:acl model casinoUser +0ms
loopback:security:acl property * +0ms
loopback:security:acl principalType ROLE +0ms
loopback:security:acl principalId $everyone +0ms
loopback:security:acl accessType * +0ms
loopback:security:acl permission DENY +0ms
loopback:security:acl with score: +0ms 7495
loopback:security:acl ---Resolved--- +0ms
loopback:security:access-context ---AccessRequest--- +0ms
loopback:security:access-context model casinoUser +1ms
loopback:security:access-context property find +0ms
loopback:security:access-context accessType READ +0ms
loopback:security:access-context permission ALLOW +0ms
loopback:security:access-context isWildcard() false +0ms
loopback:security:access-context isAllowed() true +0ms
from loopback-example-access-control.
commented on August 18, 2024
This does not solve the problem. After updating this and also grating all the things to acl for user model thats extend from User Model, I still get 401 : AUTHORIZATION_REQUIRED", "stack": "Error: Authorization in normal /get calls for user.
from loopback-example-access-control.
bekerov
commented on August 18, 2024
same problem.
from loopback-example-access-control.
richardpringle
commented on August 18, 2024
@raymondfeng What's the status on this issue?
from loopback-example-access-control.
superkhau
commented on August 18, 2024
@richardpringle Can you try to reproduce this issue and see if it's still relevant?
from loopback-example-access-control.
richardpringle
commented on August 18, 2024
@superkhau, it's still relevant, I put a bug label on the issue
from loopback-example-access-control.
superkhau
commented on August 18, 2024
Cool, I'll assume you got it then.
from loopback-example-access-control.
richardpringle
commented on August 18, 2024
@nicnocquee , @ryncorbeil-ssf , and @vabnirvana, I took a deeper look into this issue and it turns out that the functionality of the example is exactly as expected.
The acl,
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "DENY"
}
puts a blanket deny on every api endpoint. Each of the other ACLs give specific ROLE access to the following endpoints:
projects/listProjects
projects/
projects/{id}
projects/donate
projects/withdraw
with the respective properties:
listProjects
find
findById
donate
withdraw
Any other endpoints will not work, for example projects/{id}/user.
So, I am going to close the issue. If you have any additional questions please post them here. See https://github.com/strongloop/loopback/wiki/Questions for more details on posting questions.
from loopback-example-access-control.
richardpringle
commented on August 18, 2024
@ryncorbeil-ssf, I am not quite clear on what your question is.
I believe that the foreign automatically inserted if it is not explicitly declared (see BelongsTo+relations docs).
As for your specific case, it is not quite clear what you are trying to accomplish. I think the best place for you to get your question answered is at https://groups.google.com/forum/#!forum/loopbackjs.
please read the questions wiki for more info to find the best way to get your questions answered.
Also, instead of posting code along with the console output, it's easier for someone to reproduce your issue with an actual repo, checkout the bug-report section of the wiki.
Good luck!
from loopback-example-access-control.
Related Issues (20)
- User creation HOT 2
- User model present in model-config.json HOT 11
- The roles aren't getting into the Coded ACL. HOT 6
- info about executing "lb relation" is missing HOT 1
- ValidationError: The `user` instance is not valid. Details: `email` is invalid (value: "[email protected]") HOT 4
- Sample with mongo db connection not working as expected HOT 2
- Access Control Bug? HOT 3
- Define role for inbuilt models HOT 2
- automigrate to mongoDB HOT 2
- There is an error in the withdraw remote definition HOT 2
- How to emit this function : Role.registerResolver(role, resolver)?
- Weird relation between the model team and user HOT 3
- how do I apply ACL based permission rather then roles
- How to create a Model names 'device', that a user owns that deivce. HOT 1
- role-resolver.js HOT 2
- Is it possible to filter the projects owned by an owner without adding additional API? HOT 1
- ACL for third-party login HOT 2
- request /api/projects returns "Error: Authorization Required" when use mongodb datasource HOT 22
- Readme 'Tutorial' links broken HOT 2
- Cannot read property 'registerResolver' of undefined HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from loopback-example-access-control.