1

I have typed in at the commandline: slc loopback:acl and disabled all security for the User model.

Going into strongloop explorer, doing a simple GET Users request gives me a 401 authorization required error.

Any ideas how to open up the User object? Is this a known bug?

Thank you

Jordan Kasper
  • 13,153
  • 3
  • 36
  • 55
user798719
  • 9,619
  • 25
  • 84
  • 123
  • It is possible by extending user model and setting up permissions for your custom model, but.. **I would NEVER recommend you doing this.** Why would you open User or any other security related model? There is no point of doing this because intention is to secure your application. By opening this or any other security related model your application will be completely unprotected. Private user data will also be exposed to everyone. Maybe you are trying to do something else? – A.Z. May 18 '15 at 09:04
  • I understand your concerns. This is just for development. I want to add the login/security functionality at the end of the project. So I want to disable temporarily. – user798719 May 18 '15 at 09:06

2 Answers2

4

You can extend your user model and set permissions for your custom model like this:

{
  "name": "CustomUser",
  "base": "User",
  "idInjection": true,
  "properties": {},
  "validations": [],
  "relations": {},
  "acls": [
    {
      "accessType": "READ",
      "principalType": "ROLE",
      "principalId": "$unauthenticated",
      "permission": "ALLOW"
    },
    {
      "accessType": "READ",
      "principalType": "ROLE",
      "principalId": "$authenticated",
      "permission": "ALLOW"
    },
    {
      "accessType": "*",
      "principalType": "ROLE",
      "principalId": "$owner",
      "permission": "ALLOW"
    }
  ],
  "methods": []
}

However I would NEVER recommend you doing this.

A.Z.
  • 1,638
  • 2
  • 18
  • 27
  • If this is not recommended, Can you please explain how to achieve a scenario like this: A user with admin has to view all the users in a list using the angular-sdk provided by lb-ng. Check for duplicate username while creating/registering a new user. Whatever attempts made results in Unauthorized error. Also, posted a question for the same http://stackoverflow.com/questions/31907774/how-to-get-user-information-in-strongloop-using-angular-js – Anoop Thiruonam Aug 15 '15 at 18:42
0

If you really want to disable the endpoints on the User model, you can do this.

Go to your model.config.json and add "public": false to the User field like so:

...

  "User": {
    "public": false,
    "dataSource": "db"
  },
...
codejockie
  • 9,020
  • 4
  • 40
  • 46