1

Please could anyone help me?

I've created an admin user and a simple user, the admin can do anything thats ok, but I'm trying to edit the simple user using his own authenticated token, and I got unauthorized everytime even with get, post, put or delete, here my user.json:

{
"name": "User",
"properties": {
"realm": {
"type": "string"
},
"username": {
"type": "string"
},
"realName": {
"type": "string",
"required": true
},
"timezone": {
"type": "string",
"required": false
},
"language": {
"type": "string",
"required": false
},
"password": {
"type": "string",
"required": true
},
"credentials": {
"type": "object",
"deprecated": true
},
"challenges": {
"type": "object",
"deprecated": true
},
"email": {
"type": "string",
"required": true
},
"ownerId": {
"type": "number",
"required": true
},
"emailVerified": "boolean",
"verificationToken": "string",
"status": "boolean",
"created": "date",
"lastUpdated": "date"
},
"hidden": ["password"],
"acls": [
{
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "DENY"
},
{
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW",
"property": "create"
},
{
"principalType": "ROLE",
"principalId": "$owner",
"permission": "ALLOW",
"property": "deleteById"
},
{
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW",
"property": "login"
},
{
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW",
"property": "logout"
},
{
"principalType": "ROLE",
"principalId": "$owner",
"permission": "ALLOW",
"property": "findById"
},
{
"principalType": "ROLE",
"principalId": "$owner",
"permission": "ALLOW",
"property": "upsert"
},
{
"principalType": "ROLE",
"principalId": "$owner",
"permission": "ALLOW",
"property": "updateAttributes"
},
{
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW",
"property": "activation"
},
{
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW",
"property": "confirm"
},
{
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW",
"property": "resetPassword",
"accessType": "EXECUTE"
}
],
"relations": {
"accessTokens": {
"type": "hasMany",
"model": "AccessToken",
"foreignKey": "userId",
"options": {
"disableInclude": true
}
}
}
}
Wesley Milan
  • 31
  • 4

2 Answers2

0

Do you intend to override the base User model? If so, you should name it to something like MyUser and set the base as "User". In server/model-config.json, set "public" to false for "User" and true for "MyUser".

Raymond Feng
  • 1,516
  • 9
  • 5
  • Hi Raymond, actually don't want to create another user model, I'm extending the builtin model. I just need to allow user to edit his own profile, but the principalId: $owner does not work for User entity, unless I need to do some different configuration to allow that. – Wesley Milan Jul 08 '15 at 22:48
0

Ok, let's explain the solution.

Using the security debug command line I could see how Loopback resolve permissions:

# DEBUG=loopback:security:role node .
loopback:security:role isInRole(): $everyone +0ms
  loopback:security:role Custom resolver found for role $everyone +1ms
  loopback:security:role isInRole(): $owner +0ms
  loopback:security:role Custom resolver found for role $owner +0ms
  loopback:security:role isOwner(): User 11 userId: 11 +1ms
  loopback:security:role Model found: {"realm":null,"username":"...","id":11} +4ms
  loopback:security:role No matching belongsTo relation found for model "11" and user: 11 +1ms

Using this data I created a field named "userId" in User table and pointed a belongsTo directive to this field inside it's own file (user.json).

"user": {
      "type": "belongsTo",
      "model": "User",
      "foreignKey": "userId"
    }

Now the user 11 can edit your own profile but can not see or change any other user register.

It's not a beautiful solution, actually loopback should have this self related directive inside ACL logic, but it works.

Regards

Wesley Milan
  • 31
  • 4