环回DENY在Acl中不起作用

Question

I'm new to loopback. I have created ACL for Deny permission for all users($everyone).But I could access all API through swagger.Can anyone explain this? Following is My ACL. Thanks.

"acls": [
    {
      "accessType": "*",
      "principalType": "ROLE",
      "principalId": "$everyone",
      "permission": "DENY"
    }
]

Answer 1

Possible reason:

To enable access control , you must call enableAuth() . For example, in a boot script server/boot/authentication.js :

module.exports = function enableAuthentication(server) {
  server.enableAuth();
};

Also check your server/model-config.json file to see if your ACL , RoleMapping and Role models are linked correctly to your datasource.

Your ACL is correct, so a problem is somewhere else. In case my answer doesn't help you, you might want to clone loopback-example-access-control repository , try if it works for you and eventually try to figure out, how it differs from your solution.

You can also try to debug it by specyfing a DEBUG environment variable with value loopback:security:* for the console to log the lookups and checks the server makes as requests come in.

Answer 2

Try removing the accessType like this:

{
  "principalType": "ROLE",
  "principalId": "$everyone",
  "permission": "DENY"
}

Otherwise, the best thing to do is to clone the LoopBack-sandbox and reproduce the issue in that repository and post an issue on GitHub.

Answer 3

尝试将accessType字段值从*更改为EXECUTE 。

Answer 4

It also depending on your base model, as it might get overwritten by the base model's ACL.

For example, if your model is a User base model, the "create" method will still work even if you put DENY to $everyone , unless you specify "property": ["create"] .

"acls": [
    {
      "principalType": "ROLE",
      "principalId": "$everyone",
      "permission": "DENY",
      "property": [
        "create"
      ]
    }
]

Reference (List of User base ACLs): https://github.com/strongloop/loopback/blob/master/common/models/user.json