I'm following the sample app style of defining a json file in the models directory, along with a .js file to load the json.
My problem is that the acls definitions in my json file, which denies the everyone role, is not being recognized. I am able to GET api/clients as a non-privileged user successfully with a status 200. I expect to get a status 401, access denied.
As a test, I add the same acls definitions to the json of the default user model, and I get a status 401 access denied as expected.
Here is some of client.json (as in a customer, not to be confused with front-end stuff)
{
"name": "client",
"public": true,
"dataSource": "db",
"plural": "clients",
"options": {
"strict": true,
"acls": [
{
"accessType": "*",
"permission": "DENY",
"principalType": "ROLE",
"principalId": "$everyone"
}
],
"scopes": {
"active": {"where": {"active": true}, "order": "company_name"}
}
},
"properties": {
"id": {
"type": "string",
"generated": true,
"id": true
},
"active": {
"type": "Boolean",
"default": true
},
"company_name": {
"type": "string",
"required": true,
"length": 64
}
}
client.js
var app = require('./../app');
var db = app.dataSources.db;
// Load config
var config = require('./client.json');
// Create model from config
var Client = db.createModel('client', config);
// Add to REST API
app.model(Client);
module.exports = Client;
Should acls be working on my client model or is there something else I need to setup here?
I figured out the issue.
config.properties and config.options should be sent into createModel as separate arguments.
var Client = db.createModel('client', config.properties, config.options);
No errors will be generated if you pass in the entire config as properties.
Also note that config.plural also works when defined inside the config.options object.