search

strongloop / loopback-example-access-control

An example demonstrating LoopBack access control mechanisms.
Other
370 stars 168 forks source link

alc $owner access return Unauthorized #79

Closed kernel8liang closed 7 years ago

kernel8liang commented 8 years ago

I have defined two model one is model A which inherit from User, and another is a normal model B which inherit from PersistedModel. see below:

model A:

{
    "name": "A",
    "base": "User",
    "idInjection": true,
    "options": {
        "validateUpsert": true
    },
    "properties": {
        "phoneNumber": {
            "type": "string"
        }
    },
    "validations": [],
    "relations": {
        "adtasks": {
            "type": "hasMany",
            "model": "B",
            "foreignKey": "UserID"
        }
     },
     "acls": [],
     "methods": {}    
}

model B:

{
    "name": "B",
    "base": "PersistedModel",
    "idInjection": true,
    "options": {
        "validateUpsert": true
    },
    "properties": {
        "createTime": {
        "type": "string",
        "required": true,
        "default": "blank"
    },
    "location": {
        "type": "string",
        "required": true,
        "default": "blank"
    },
    "validations": [],
    "relations": {
        "a": {
            "type": "belongsTo",
            "model": "A",
            "foreignKey": "UserID"
        }
    },
    "acls": [
        {
             "accessType": "*",
             "principalType": "ROLE",
             "principalId": "$everyone",
             "permission": "DENY"
        },
        {
            "accessType": "READ",
            "principalType": "ROLE",
            "principalId": "$owner",
            "permission": "ALLOW"
        }
    ],
    "methods": {}
}

when a user login I want let she/he only to see items which belongs to this User, I use angular as client. the app.js is defined as below:

angular
    .module('app', [
    'ui.router',
    'lbServices',
    'ngAnimate',
    'ui.bootstrap'
])
.config(['$stateProvider', '$urlRouterProvider',  
    function($stateProvider, $urlRouterProvider) {
        $stateProvider
            .state('all-Biterms', {
                url: '/all-Biterms/:id',
                templateUrl: 'views/all-Biterms.html',
                controller: 'AllBitermsController',
                authenticate: true
    })
    .state('login-Biterms', {
        url: '/login-Bdtask',
        templateUrl: 'views/login.html',
        controller: 'BUserLoginController'
    });
}]);

in BUserLoginController:

angular
   .module('app')
   .controller('BUserLoginController', ['$scope', 'AuthService', '$state', '$rootScope',
       function ($scope, AuthService, $state, $rootScope) {

       $scope.user = {}

       $scope.login = function () {
           AuthService.login($scope.user.email, $scope.user.password)
          .then(function() {
              $state.go('all-Biterms', {"id": $rootScope.currentUser.id});
          });
      }
}]);

After login I get error from brower:

Failed to load resource: the server responded with a status of 401 (Unauthorized)

and from the server site get log:

loopback:security:role isInRole(): $everyone +0ms
loopback:security:access-context ---AccessContext--- +1ms
loopback:security:access-context principals: [] +1ms
loopback:security:access-context modelName Aduser +0ms
loopback:security:access-context modelId undefined +0ms
loopback:security:access-context property login +0ms
loopback:security:access-context method login +0ms
loopback:security:access-context accessType EXECUTE +0ms
loopback:security:access-context accessToken: +0ms
loopback:security:access-context   id "$anonymous" +0ms
loopback:security:access-context   ttl 1209600 +2ms
loopback:security:access-context getUserId() null +0ms
loopback:security:access-context isAuthenticated() false +0ms
loopback:security:role Custom resolver found for role $everyone +0ms
loopback:security:role isInRole(): $everyone +0ms
loopback:security:access-context ---AccessContext--- +0ms
loopback:security:access-context principals: [] +0ms
loopback:security:access-context modelName Aduser +0ms
loopback:security:access-context modelId undefined +0ms
loopback:security:access-context property login +1ms
loopback:security:access-context method login +0ms
loopback:security:access-context accessType EXECUTE +0ms
loopback:security:access-context accessToken: +0ms
loopback:security:access-context   id "$anonymous" +0ms
loopback:security:access-context   ttl 1209600 +0ms
loopback:security:access-context getUserId() null +0ms
loopback:security:access-context isAuthenticated() false +0ms
loopback:security:role Custom resolver found for role $everyone +1ms
loopback:security:acl The following ACLs were searched:  +1ms
loopback:security:acl ---ACL--- +0ms
loopback:security:acl model Aduser +0ms
loopback:security:acl property login +0ms
loopback:security:acl principalType ROLE +0ms
loopback:security:acl principalId $everyone +0ms
loopback:security:acl accessType * +0ms
loopback:security:acl permission ALLOW +0ms
loopback:security:acl with score: +0ms 8004
loopback:security:acl ---ACL--- +1ms
loopback:security:acl model Aduser +0ms
loopback:security:acl property * +0ms
loopback:security:acl principalType ROLE +0ms
loopback:security:acl principalId $everyone +0ms
loopback:security:acl accessType * +0ms
loopback:security:acl permission DENY +0ms  
loopback:security:acl with score: +0ms 7495
loopback:security:acl ---Resolved--- +0ms 
loopback:security:access-context ---AccessRequest--- +0ms
loopback:security:access-context  model Aduser +0ms
loopback:security:access-context  property login +0ms
loopback:security:access-context  accessType EXECUTE +0ms
loopback:security:access-context  permission ALLOW +0ms
loopback:security:access-context  isWildcard() false +0ms
loopback:security:access-context  isAllowed() true +1ms
loopback:security:role isInRole(): $everyone +283ms
loopback:security:access-context ---AccessContext--- +0ms
loopback:security:access-context principals: +0ms
loopback:security:access-context principal: {"type":"USER","id":1} +0ms
loopback:security:access-context modelName Adtask +0ms
loopback:security:access-context modelId undefined +1ms
loopback:security:access-context property find +0ms
loopback:security:access-context method find +0ms
loopback:security:access-context accessType READ +0ms
loopback:security:access-context accessToken: +0ms
loopback:security:access-context   id       "iZtl0Le5rllFwz93u0A1wy4LvsJdDcCyi6gNyLIKiOWRAeAX4WuNUOEpDPLXcn2z" +1ms
loopback:security:access-context   ttl 1209600 +0ms
loopback:security:access-context getUserId() 1 +0ms
loopback:security:access-context isAuthenticated() true +0ms
loopback:security:role Custom resolver found for role $everyone +1ms
loopback:security:role isInRole(): $owner +0ms
loopback:security:access-context ---AccessContext--- +0ms
loopback:security:access-context principals: +0ms
loopback:security:access-context principal: {"type":"USER","id":1} +0ms
loopback:security:access-context modelName Adtask +0ms
loopback:security:access-context modelId undefined +0ms
loopback:security:access-context property find +0ms
loopback:security:access-context method find +2ms
loopback:security:access-context accessType READ +0ms
loopback:security:access-context accessToken: +1ms
loopback:security:access-context   id "iZtl0Le5rllFwz93u0A1wy4LvsJdDcCyi6gNyLIKiOWRAeAX4WuNUOEpDPLXcn2z" +0ms
loopback:security:access-context   ttl 1209600 +0ms
loopback:security:access-context getUserId() 1 +0ms
loopback:security:access-context isAuthenticated() true +0ms
loopback:security:role Custom resolver found for role $owner +0ms
loopback:security:acl The following ACLs were searched:  +2ms
loopback:security:acl ---ACL--- +0ms
loopback:security:acl model Adtask +0ms
loopback:security:acl property * +0ms
loopback:security:acl principalType ROLE +0ms
loopback:security:acl principalId $everyone +0ms
loopback:security:acl accessType * +0ms
loopback:security:acl permission DENY +0ms
loopback:security:acl with score: +0ms 7495
loopback:security:acl ---Resolved--- +1ms
loopback:security:access-context ---AccessRequest--- +1ms
loopback:security:access-context  model Adtask +0ms
loopback:security:access-context  property find +0ms
loopback:security:access-context  accessType READ +1ms
loopback:security:access-context  permission DENY +0ms
loopback:security:access-context  isWildcard() false +0ms
loopback:security:access-context  isAllowed() false +1ms

so, I want to know how can I make it run correct. Let each user to see iterms only belongs to he.

kernel8liang commented 8 years ago

I just did another test with some modify of the loopback-getting-started-intermediate source code.

 index 05d59c6..cf80ed0 100644
 --- a/client/js/app.js
 +++ b/client/js/app.js
 @@ -42,7 +42,7 @@ angular
          controller: 'AuthLogoutController'
        })
        .state('my-reviews', {
 -        url: '/my-reviews',
 +        url: '/my-reviews/:id',
          templateUrl: 'views/my-reviews.html',
          controller: 'MyReviewsController',
          authenticate: true
 @@ -56,11 +56,12 @@ angular
          url: '/sign-up/success',
          templateUrl: 'views/sign-up-success.html'
        });
 -    $urlRouterProvider.otherwise('all-reviews');
 +    $urlRouterProvider.otherwise('login');
    }])
    .run(['$rootScope', '$state', function($rootScope, $state) {
      $rootScope.$on('$stateChangeStart', function(event, next) {
        // redirect to login page if not logged in
 +      console.log(next)
        if (next.authenticate && !$rootScope.currentUser) {
          event.preventDefault(); //prevent current page from loading
          $state.go('forbidden');

 index 793388d..19d5ce0 100644
 --- a/client/js/controllers/auth.js
 +++ b/client/js/controllers/auth.js
 @@ -1,7 +1,7 @@
  angular
    .module('app')
 -  .controller('AuthLoginController', ['$scope', 'AuthService', '$state',
 -      function($scope, AuthService, $state) {
 +  .controller('AuthLoginController', ['$scope', 'AuthService', '$state', '$rootScope',
 +      function($scope, AuthService, $state, $rootScope) {
      $scope.user = {
        email: 'foo@bar.com',
        password: 'foobar'
 @@ -10,7 +10,7 @@ angular
      $scope.login = function() {
        AuthService.login($scope.user.email, $scope.user.password)
          .then(function() {
 -          $state.go('add-review');     +          $state.go('my-reviews', {"id": $rootScope.currentUser.id});
          });
      };
    }])

 index f56a11f..9345676 100644
 --- a/common/models/review.json
 +++ b/common/models/review.json
 @@ -36,12 +36,6 @@
        "permission": "DENY"
      },
      {
 -      "accessType": "READ",
 -      "principalType": "ROLE",
 -      "principalId": "$everyone",
 -      "permission": "ALLOW"
 -    },
 -    {
        "accessType": "EXECUTE",
        "principalType": "ROLE",
        "principalId": "$authenticated",
 @@ -53,7 +47,13 @@
        "principalType": "ROLE",
        "principalId": "$owner",
        "permission": "ALLOW"
 +    },
 +    {
 +      "accessType": "READ",
 +      "principalType": "ROLE",
 +      "principalId": "$owner",
 +      "permission": "ALLOW"
      }
    ],
 -  "methods": []
 +  "methods": {}
  }

I modified the source code to the same thing I want to do , and I got the same error.

kernel8liang commented 8 years ago

I change $owner to $authenticated, it run as expect.

stale[bot] commented 7 years ago

This issue has been closed due to continued inactivity. Thank you for your understanding. If you believe this to be in error, please contact one of the code owners, listed in the CODEOWNERS file at the top-level of this repository.