0

In the above tutorial, reviews do not require an authorization token but coffeeshops do. And this works; I use curl to send email/password for a reviewer, receive an auth token and then send the auth token to get a list of shops.

But when I try the same to get a list of reviewers, I get an error of authorization required. Even though I sent an auth token.

Can someone explain this? What have I not understood?

Regards, John

John
  • 1,593
  • 3
  • 17
  • 28

1 Answers1

0

I'm unable to test this, but I'm pretty sure I'm correct.

Reviewer is based on User, and nobody is allowed to find all Users.

In your scenario, you are authorized in the sense you have a token. This gives you the $authenticated role, and if you have created anything probably the $owner role for those things.

If your next question is "Can I allow $authenticated or $everyone to find all Users/Reviewers?" See this question.

Details

You can see the difference in the access controls by looking at the Review model's ACLs

And look at User's ACLs

Notice the User model uses the $owner role often (indicating you must be that User) and that it doesn't allow find, only findById for the $owner

Marvin Irwin
  • 938
  • 7
  • 17
  • Thanks, that makes sense. Though it would be nice (from an admin perspective) to list all of the users. – John Jan 09 '19 at 17:13
  • Just to add I tried Reviewers/id-number and that worked. interestingly, Reviewers/id-number/exists gave a requires auth error. And trying with a different user id, having listed directly from the database, also gives an auth req error. – John Jan 10 '19 at 08:17
  • If you want to see exactly how loopback is deciding you can launch your server like `DEBUG=loopback:security:* node .` on linux/macos or `set DEBUG=loopback:security & node .` or windows – Marvin Irwin Jan 10 '19 at 12:27