I have a project with loopback using postgres and, by default I am not authorized to GET Users (error 401). I don't have a user.json and user.js on my common/models.
How do I do to change the acl of the User model?
After some researches I think I understood that some people recreate a user.json and then migrate it? Is it the way to overwrite the acl?
The user ACL (and most acls) work on a DENY *, and add exceptions for what is necessary. If you don't want to extend the default model you can use.
'use strict';
var loopback = require('loopback');
var boot = require('loopback-boot');
var app = module.exports = loopback();
app.start = function() {
// start the web server
return app.listen(function() {
app.emit('started');
var baseUrl = app.get('url').replace(/\/$/, '');
console.log('Web server listening at: %s', baseUrl);
// Allow GET Users
const User = app.models.User;
User.settings.acls.push(
{
'principalType': 'ROLE',
'property': 'find',
'principalId': '$everyone',
'permission': 'ALLOW'
}
);
if (app.get('loopback-component-explorer')) {
var explorerPath = app.get('loopback-component-explorer').mountPath;
console.log('Browse your REST API at %s%s', baseUrl, explorerPath);
}
});
};
// Bootstrap the application, configure models, datasources and middleware.
// Sub-apps like REST API are mounted via boot scripts.
boot(app, __dirname, function(err) {
if (err) throw err;
// start the server if `$ node server.js`
if (require.main === module)
app.start();
});