3

In the StrongLoop API Explorer I have the option to query:

/People/{id}/food_prefs

Person is based on the built in User model. This query should return a JSON list of all the food_prefs for that Person (User). Instead I get a 401 error about authorization.

The model relations are thus:

Person has many food_prefs
food_pref belongs to Person (foreign key: personId)

food_pref model looks like this:

property: type : number
property: personId : number

When I send a request to Person/{id}/food_pref I get an error 401:

{
  "error": {
    "name": "Error",
    "status": 401,
    "message": "Authorization Required",
    "statusCode": 401,
    "code": "AUTHORIZATION_REQUIRED",
    "stack": "Error: Authorization Required\n
}

I've not yet set up any ACL's, but even when I do set it up for access to everyone, I still get this error. Why?

Nathan McKaskle
  • 2,926
  • 12
  • 55
  • 93
  • You first need to authenticate your identity before making requests to the API. Include the session Id returned for authentication in requests. – marekful Jul 04 '15 at 17:10
  • I tried that, I got the authentication token and set the token in explorer, still no luck. Same error. It's weird because I can do a query on the opposite, /food_prefs/{id}/person and get the user ID and e-mail info for the person who owns that food_pref. – Nathan McKaskle Jul 04 '15 at 17:20
  • Also I did slc loopback:acl and set person to everybody has access for all methods and even that didn't do the trick. – Nathan McKaskle Jul 04 '15 at 17:24
  • What about the base user model acl ? Have you tried to changed them to see if it impacts your child model ? – valvince Jul 06 '15 at 17:11
  • In a much simpler model I tried adding this to the person.json under common/models { "accessType": "EXECUTE", "principalType": "ROLE", "principalId": "$everyone", "permission": "ALLOW", "property": "_get_toys" } which worked but it did not work for _get_food_prefs, I'm wondering if the property is named something else. – Nathan McKaskle Jul 06 '15 at 17:58

1 Answers1

0

The answer is to add the following permissions to the ACL section in the Person model. The file name is common/models/person.json:

{ "accessType": "EXECUTE", 
  "principalType": "ROLE", 
  "principalId": "$everyone", 
  "permission": "ALLOW", 
  "property": "__get__foodPrefs" 
}

Similar properties can be set for other methods such as those you use to extend the model, for example a remote method called "getList" set in common/models/person.js. You would simply replace __get__foodPrefs with getList. Be sure to note that the auto generated methods such as the one above has two underscores not one.

Also, other permissions can be $authenticated, $owner, etc..

Nathan McKaskle
  • 2,926
  • 12
  • 55
  • 93