0

I'm trying to execute this request:

PUT /api/cars/564d8e792583afef310affe3/categories/rel/suv-idcat

This works fine if I'm logged in as administrator, but if I'm logged in as another role, I get a 401 response.

My Car model has the following ACLs:

...
{
  "accessType": "EXECUTE",
  "principalType": "ROLE",
  "principalId": "admin",
  "permission": "ALLOW",
  "property": "__create__categories"
},
{
  "accessType": "EXECUTE",
  "principalType": "ROLE",
  "principalId": "admin",
  "permission": "ALLOW",
  "property": "__updateById__categories"
},
{
  "accessType": "EXECUTE",
  "principalType": "ROLE",
  "principalId": "admin",
  "permission": "ALLOW",
  "property": "__destroyById__categories"
}
...

Now, if I add this same ACL rules for a specific role:

{
  "accessType": "EXECUTE",
  "principalType": "ROLE",
  "principalId": "StoreAdmin",
  "permission": "ALLOW",
  "property": "__create__categories"
},
{
  "accessType": "EXECUTE",
  "principalType": "ROLE",
  "principalId": "StoreAdmin",
  "permission": "ALLOW",
  "property": "__updateById__categories"
},
{
  "accessType": "EXECUTE",
  "principalType": "ROLE",
  "principalId": "StoreAdmin",
  "permission": "ALLOW",
  "property": "__destroyById__categories"
}
...

If I tap the endpoint logged in as a StoreAdmin user, then I get a 401 error response.

P.S. I've already taken a look at this: https://docs.strongloop.com/display/public/LB/Accessing+related+models, but there is no "hasAndBelongsTo" relation

danielrvt
  • 10,177
  • 20
  • 80
  • 121

1 Answers1

0

I'll answer myself. It turns out that for the hasManyAndBelongsTo relation, the method names are not the same as the ones stated in the documentation for a hasMany relation. In fact, it is not even documented.

By running the app in debug mode: DEBUG=loopback:security:* I found out that the real method name was __link__categories.

danielrvt
  • 10,177
  • 20
  • 80
  • 121