11

Im trying to list all the Users in my loopback 2.0 app using the REST API and I'm getting the following error:

{
  "error": {
    "name": "Error",
    "status": 401,
    "message": "Authorization Required",
    "statusCode": 401,
    "stack": "...."
  }
}

I manually added the ACL to the model-config.json file:

"User": {
    "dataSource": "db",
    "acls": [
        {
            "principalType": "ROLE",
            "principalId": "$everyone",
            "permission": "ALLOW",
            "accessType": "*"
        }
    ]
},

Since that failed, I created a model based on the User built-in model:

{
    "name": "Admin",
    "base": "User",
    "properties": {},
    "validations": [],
    "relations": {},
    "acls": [
        {
            "principalType": "ROLE",
            "principalId": "$everyone",
            "permission": "ALLOW",
            "accessType": "*"
        }
    ],
    "methods": []
}

But in the REST API I still have the same issue:

{
  "error": {
    "name": "Error",
    "status": 401,
    "message": "Authorization Required",
    "statusCode": 401,
    "stack": "....."
  }
}

I appreciate any help. =)

Deduplicator
  • 44,692
  • 7
  • 66
  • 118
jpcapdevila
  • 207
  • 3
  • 8
  • 2
    You can run the app with DEBUG=loopback:security:* node . to get the debug information for the ACLs. That may help. – snathan Aug 18 '14 at 01:50
  • @snathan thanks for the debug tip! That helped me see what was happening, there was another ACL with higher score, so I put an individual entry for "accessType": "READ" instead of "accessType": "*", and that gave my ACL a higher score. – jpcapdevila Aug 18 '14 at 10:40

2 Answers2

5

  1. We should allow you to further configure the built-in model with additional ACLs. This is a todo for LoopBack.

  2. You can subclass the built-in User model in common/user.json as you have illustrated.

    { "name": "user", "base": "User", "plural": "users" }

Then you need to expose it to REST by adding an entry to server/model-config.json, such as:

"user": {
    "dataSource": "db",
    "public": true
  },
Raymond Feng
  • 1,516
  • 9
  • 5
  • 2
    Thanks for pointing out that we cannot extend the ACL of build-in models. My common/admin.json ended up like this: { "name": "Admin", "base": "User", "plural": "Admins", "properties": {}, "validations": [], "relations": {}, "acls": [ { "principalType": "ROLE", "principalId": "$everyone", "permission": "ALLOW", "accessType": "READ" } ], "methods": [] } – jpcapdevila Aug 18 '14 at 10:45
  • 4
    It'd be great if the docs reflected this, b/c I'm coming in almost a year later and ran into the same issue w/o being warned in the docs about it. – Paul Aug 01 '15 at 16:53
0

Seems loopback ppl allso hit that issue: https://github.com/strongloop/loopback-example-access-control/issues/8

Archer
  • 5,073
  • 8
  • 50
  • 96