Loopback: ACLs in database not getting checked, only those in memory.

Created on 4 Sep 2015 · 12Comments · Source: strongloop/loopback

I'm trying to test the usage of ACLs in my database, since my application will have to create some according to user input, and they have to be persistent (therefore boot scripts aren't an option). I've got some ACLs for dynamic roles defined in the appropriate model's .json, e.g., group.json

...
"acls": [
    {
      "accessType": "WRITE",
      "principalType": "ROLE",
      "principalId": "$everyone",
      "permission": "DENY"
    }
  ],
...

However, I've also attempted to put an ACL in the database that looks like this:

# id, model, property, accessType, permission, principalType, principalId
1, Groups, __get__users, EXECUTE, DENY, USER, 400121939

I've tried every reasonable permutation of 'USER', 'User', so on, as well as 'CLIENT', 'Client', etc...(Client is the name of our User-extending model).

Furthermore, I've ensured the ACL model uses the correct dataSource in model-config.json.

...
"ACL": {
    "dataSource": "campus-directory",
    "public": false
  },
...

And yet, when I authenticate as this particular user, I'm allowed access, and in fact the ACL never gets searched! DEBUG=loopback:security:* output is below.

 loopback:security:role isInRole(): $everyone +0ms
  loopback:security:access-context ---AccessContext--- +1ms
  loopback:security:access-context principals: +0ms
  loopback:security:access-context principal: {"type":"USER","id":400121939} +0ms
  loopback:security:access-context modelName Groups +0ms
  loopback:security:access-context modelId 8030 +0ms
  loopback:security:access-context property __get__users +0ms
  loopback:security:access-context method __get__users +0ms
  loopback:security:access-context accessType READ +0ms
  loopback:security:access-context accessToken: +0ms
  loopback:security:access-context   id "zX7HAtZRkpdsDKYRHITK7PBlodM8vjTCEZ9Fkp5AJE40GK0Y24cSAX1lYzUmR19C" +0ms
  loopback:security:access-context   ttl 1209600 +1ms
  loopback:security:access-context getUserId() 400121939 +0ms
  loopback:security:access-context isAuthenticated() true +0ms
  loopback:security:role Custom resolver found for role $everyone +0ms
  loopback:security:acl The following ACLs were searched:  +1ms
  loopback:security:acl ---ACL--- +0ms
  loopback:security:acl model Groups +0ms
  loopback:security:acl property * +0ms
  loopback:security:acl principalType ROLE +0ms
  loopback:security:acl principalId $everyone +0ms
  loopback:security:acl accessType WRITE +0ms
  loopback:security:acl permission DENY +0ms
  loopback:security:acl with score: +0ms -1
  loopback:security:acl ---Resolved--- +1ms
  loopback:security:access-context ---AccessRequest--- +0ms
  loopback:security:access-context  model Groups +0ms
  loopback:security:access-context  property __get__users +0ms
  loopback:security:access-context  accessType READ +0ms
  loopback:security:access-context  permission ALLOW +0ms
  loopback:security:access-context  isWildcard() false +0ms
  loopback:security:access-context  isAllowed() true +0ms

triaging

Source

bretmattingly

Most helpful comment

If still somebody facing issue on this let me know.. I implemented this successfully..

tushargangwal on 22 Mar 2016

👍3

All 12 comments

Hi
I'm having the same problem. No matter which connector I set for ACL in model-config.json, it always uses memory. ACL generator also generates them in memory... not using the connector set in json file.

Shyri on 11 Sep 2015

Can one of you share a simple project on github to demonstrate the issue? It will help us troubleshoot.

raymondfeng on 11 Sep 2015

@bomattin your model name "Groups" in database might uncorrect.

scottsut on 6 Nov 2015

@raymondfeng @Shyri I've got a test case here for you: https://github.com/bomattin/lb-acl-test

bretmattingly on 13 Nov 2015

If still somebody facing issue on this let me know.. I implemented this successfully..

tushargangwal on 22 Mar 2016

👍3

I am having this issue and nt able to implement authorization. kindly help @tushargangwal

vnadhan on 22 Mar 2016

Solved this isssue . When you add an ACL entry to DB, make sure you specify the 'accessType'. It is always good to specify all the attributes of an ACL ( model, property, accessType,. permission, principalType, principaId ). Also value for 'model' shuld correspond to the 'name' attribute specified in "your-model".json file.

vnadhan on 23 Mar 2016

Issue resolved. Closing.
If anyone is till facing the same issue, please leave a comment and case will be re-opened. Thanks.

loay on 14 Jul 2016

@tushargangwal Could you provide an example application, please ?

colceagus on 21 Oct 2016

I am implementing this right now. So far going good. But I may wanted to customise this little more than what was available, so I guess might need team's help.