I'm pretty new to node.js/mlab and I'm trying to figure out my ACLs.
I have two models, Songs and Accounts.
I've created a has many relationship between Accounts and Songs where an account has many Songs called favorites.
"relations": {
"favorites": {
"type": "hasMany",
"model": "Song",
"foreignKey": ""
}
}
The way I want my ACL set up is that only the administrator can create new songs, but anyone who is authenticated can add Songs to their favorites.
I have an endpoint (id = userId and it also takes a token):
/Accounts/{id}/favorites
The problem is, whenever I try to POST to this endpoint I get:
http://0.0.0.0:3000/api/Accounts/584e6ed148d44a6c1e53c1a3/favorites 401 (Unauthorized)
For Songs, the current ACLs are:
"acls": [
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "administrator",
"permission": "ALLOW"
},
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "DENY"
},
{
"accessType": "READ",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW"
}]
For Accounts, the current ACLs are:
"acls": [
{
"accessType": "EXECUTE",
"principalType": "ROLE",
"principalId": "$authenticated",
"permission": "ALLOW",
"property": "POST"
}
]
I've traced it:
loopback:security:role isInRole(): $everyone +0ms
loopback:security:access-context ---AccessContext--- +2ms
loopback:security:access-context principals: +1ms
loopback:security:access-context principal: {"type":"USER","id":"584e6ed148d44a6c1e53c1a3"} +0ms
loopback:security:access-context modelName Account +1ms
loopback:security:access-context modelId 584e6ed148d44a6c1e53c1a3 +0ms
loopback:security:access-context property __create__favorites +0ms
loopback:security:access-context method __create__favorites +0ms
loopback:security:access-context accessType WRITE +0ms
loopback:security:access-context accessToken: +0ms
loopback:security:access-context id "QD2gi3uUr7g07EN7NhCbeSeyKT4AEZGWUoQQB9V0siFzgBOiPM1WOAkLhvxHCQGq" +0ms
loopback:security:access-context ttl 1209600 +0ms
loopback:security:access-context getUserId() 584e6ed148d44a6c1e53c1a3 +0ms
loopback:security:access-context isAuthenticated() true +0ms
loopback:security:role Custom resolver found for role $everyone +0ms
loopback:security:acl The following ACLs were searched: +1ms
loopback:security:acl ---ACL--- +1ms
loopback:security:acl model Account +0ms
loopback:security:acl property * +0ms
loopback:security:acl principalType ROLE +0ms
loopback:security:acl principalId $everyone +0ms
loopback:security:acl accessType * +0ms
loopback:security:acl permission DENY +0ms
loopback:security:acl with score: +0ms 7495
loopback:security:acl ---Resolved--- +0ms
loopback:security:access-context ---AccessRequest--- +0ms
loopback:security:access-context model Account +0ms
loopback:security:access-context property __create__favorites +0ms
loopback:security:access-context accessType WRITE +0ms
loopback:security:access-context permission DENY +1ms
loopback:security:access-context isWildcard() false +0ms
loopback:security:access-context isAllowed() false +0ms
Thank you!
Got it! Had to set access for specific property because default is deny access.
{
"accessType": "EXECUTE",
"principalType": "ROLE",
"principalId": "$owner",
"permission": "ALLOW",
"property": "__create__favorites"
},
{
"accessType": "EXECUTE",
"principalType": "ROLE",
"principalId": "$owner",
"permission": "ALLOW",
"property": "__get__favorites"
}