I'm using the loopback framework.
It is not very clear to me when to use RoleMapping with static roles and ACL, also after reading the documentation here and here.
I have a boot script where I insert some major static roles in my application (admin, approver, validator, etc) and I use those roles in ACL.
Seems to me that when I declare the user role I have to use RoleMapping.USER:
const approver = yield app.models.User.create({
email: '[email protected]',
password: 'secret-apprpver-123',
status: 'active',
emailVerified: true
});
const roleApprover = yield app.models.Role.findOne({
where: {name: 'approver'}
});
yield app.models.RoleMapping.create({
principalId: approver.id,
principalType: app.models.RoleMapping.USER,
roleId: roleApprover.id
});
While in the ACL I have to use RoleMapping.ROLE:
{
"principalType": "ROLE",
"accessType": "EXECUTE",
"principalId": "approver",
"permission": "ALLOW",
"property": "setApprove"
}
But it is not very clear, with a lot of headache every time I have to debug it, some dark magic and praying each time I have to manage new roles or new ACL.
Is there someone that can explain me how to do it?
(just putting this into an answer...)
In the first code block you are creating a user and a role, then adding that user to the role. In the second block (the ACL model config) you are allowing that role (and anyone in it) to take an action on a model (specifically in this case executing the setApprove() method). The two actions work in unison to provide authorization and authentication respectively.
To address the follow up comment, the principalType in the model config ACL is "ROLE" because you want anyone in that role to be able to take that action. If you instead made the principalType "USER" then you would have to change the principalId to the new User ID and you would be only authorizing that one user (regardless of who is in the role) to take that action.