[英]Loopback DENY In Acl Is Not working
I'm new to loopback. 我是环回的新手。 I have created ACL for Deny permission for all users($everyone).But I could access all API through swagger.Can anyone explain this?
我为所有用户创建了ACL拒绝权限($ everyone)。但我可以通过swagger访问所有API。任何人都可以解释这个吗? Following is My ACL.
以下是我的ACL。 Thanks.
谢谢。
"acls": [
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "DENY"
}
]
Possible reason: 可能的原因:
To enable access control , you must call enableAuth()
. 要启用访问控制 ,必须调用
enableAuth()
。 For example, in a boot script server/boot/authentication.js
: 例如,在引导脚本
server/boot/authentication.js
:
module.exports = function enableAuthentication(server) {
server.enableAuth();
};
Also check your server/model-config.json
file to see if your ACL
, RoleMapping
and Role
models are linked correctly to your datasource. 还要检查
server/model-config.json
文件,看看你的ACL
, RoleMapping
和Role
模型是否正确链接到你的数据源。
Your ACL is correct, so a problem is somewhere else. 您的ACL是正确的,因此问题出在其他地方。 In case my answer doesn't help you, you might want to clone loopback-example-access-control repository , try if it works for you and eventually try to figure out, how it differs from your solution.
如果我的答案对您没有帮助,您可能想要克隆loopback-example-access-control存储库 ,尝试它是否适合您并最终尝试弄清楚它与您的解决方案有何不同。
You can also try to debug it by specyfing a DEBUG
environment variable with value loopback:security:*
for the console to log the lookups and checks the server makes as requests come in. 您还可以尝试通过使用值
loopback:security:*
规范DEBUG
环境变量来调试它loopback:security:*
用于控制台记录查找并检查服务器在请求进入时所做的操作。
Try removing the accessType
like this: 尝试删除
accessType
如下所示:
{
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "DENY"
}
Otherwise, the best thing to do is to clone the LoopBack-sandbox and reproduce the issue in that repository and post an issue on GitHub. 否则,最好的办法是克隆LoopBack-sandbox并在该存储库中重现该问题并在GitHub上发布问题。
尝试将accessType
字段值从*
更改为EXECUTE
。
It also depending on your base model, as it might get overwritten by the base model's ACL. 它还取决于您的基本模型,因为它可能会被基本模型的ACL覆盖。
For example, if your model is a User
base model, the "create"
method will still work even if you put DENY
to $everyone
, unless you specify "property": ["create"]
. 例如,如果您的模型是
User
基础模型,即使您将DENY
为$everyone
, "create"
方法仍然有效,除非您指定"property": ["create"]
。
"acls": [
{
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "DENY",
"property": [
"create"
]
}
]
Reference (List of User base ACLs): https://github.com/strongloop/loopback/blob/master/common/models/user.json 参考(用户基本ACL列表): https : //github.com/strongloop/loopback/blob/master/common/models/user.json
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.