Loopback: Patch Attributes needs to be updated on default user model

Created on 16 Aug 2016  路  4Comments  路  Source: strongloop/loopback

https://github.com/strongloop/loopback/blob/master/common/models/user.json#L65

this needs to use the new updateAttributes method

picture devotox

Most helpful comment

@gunjpan I think devotox is right. There's a problem related with acls.
When I inherit the built-in User model (named MyUser) and set acls like this

{
  "accessType": "EXECUTE",
  "principalType": "ROLE",
  "principalId": "$owner",
  "permission": "DENY",
  "property": "updateAttributes"
},

This acl is not working. Because, current API path 'PATCH /users/:id' is routes to 'patchAttributes' methods. When I change the 'property' as 'patchAttributes', Now the acl is working. This situation also happens in 'replaceById' method, which is exposed in the 'PUT /users/:id ' path.

But, at currently, all the loopback documents tells about 'updateAttributes', not about 'patchAttributes' or 'replaceById'. Also same in the api document. Because of this, I assumed that lots of loopback developers mis-define acls on 'updateAttributes' at their own user model.

picture casamia918 on 3 Jun 2017
👍3

All 4 comments

@devotox : As the built-in user model extends PersistedModel and patchAttributes is an alias for updateAttributes, there seems to be no need to get that updated.

gunjpan picture gunjpan on 16 Aug 2016

@gunjpan I think devotox is right. There's a problem related with acls.
When I inherit the built-in User model (named MyUser) and set acls like this

{
  "accessType": "EXECUTE",
  "principalType": "ROLE",
  "principalId": "$owner",
  "permission": "DENY",
  "property": "updateAttributes"
},

This acl is not working. Because, current API path 'PATCH /users/:id' is routes to 'patchAttributes' methods. When I change the 'property' as 'patchAttributes', Now the acl is working. This situation also happens in 'replaceById' method, which is exposed in the 'PUT /users/:id ' path.

But, at currently, all the loopback documents tells about 'updateAttributes', not about 'patchAttributes' or 'replaceById'. Also same in the api document. Because of this, I assumed that lots of loopback developers mis-define acls on 'updateAttributes' at their own user model.

casamia918 picture casamia918 on 3 Jun 2017
👍3

@casamia918 how did you go about getting the right ACLs could you show me how your extended User Model looks like

devotox picture devotox on 8 Jun 2017

@devotox 

    {
      "accessType": "EXECUTE",
      "principalType": "ROLE",
      "principalId": "$owner",
      "permission": "DENY",
      "property": "patchAttributes"
    },
    {
      "accessType": "EXECUTE",
      "principalType": "ROLE",
      "principalId": "$owner",
      "permission": "DENY",
      "property": "replaceById"
    },

I found the right method name by reading built-in user models's definition json file. Normally it is located in the node_modules/loopback/common/models/user.json

casamia918 picture casamia918 on 8 Jun 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

cajoy picture cajoy  路  4Comments
Overdrivr picture Overdrivr  路  3Comments
AnupDeshpande23 picture AnupDeshpande23  路  4Comments
rkmax picture rkmax  路  3Comments
daankets picture daankets  路  4Comments