Loopback: How to list all objects owned by me?
Hi!
I am struggling with this. How to list all items belonging to me? For example, I am looking at loopback-example-access-control project. I am querying GET /users/{id}/team with correct user id and access token, but I get 401 auth required error.
Also, a related question: if I create a new item with POST or PATCH, can I somehow assign the specific ownerId on server side to the newly created object?
Thank you for your help,
Zsolt
zsszatmari
All 5 comments
Hi @zsszatmari,
You should be able to see the objects you own. That is happening due to the permission given. You need to have the proper permission in order to access these items. So here is a document on how to control data access. Please have a look and let me know if you have further questions.
https://docs.strongloop.com/display/public/LB/Controlling+data+access
If it is still not working, please create a sample repo so I can help you debug.
Thanks.
loay
on 3 Nov 2016
@zsszatmari I just encountered exactly the same issue. For the sake of example imagine the objects are Reviews. Each Review is owned by your User 'subclass'. Now, what I found was that even though I had set up a simple ACL in my Review.json to permit $owner to READ their owned objects, the problem seems to be that the 'base' User has a default ACL to deny all. So, even though the owned object's ACL might permit the request when you do, say, GET /Reviews/id where the id is the id of a Review owned by the authenticated user, doing GET /MyUser/Reviews/ to get all Reviews owned by the authenticated user won't work because of the default User ACL. What I just found was that if I added this ACL to my User object to permit READ operations by $owner:
..
"acls": [{
"accessType": "READ",
"principalType": "ROLE",
"principalId": "$owner",
"permission": "ALLOW"
}],
...
...then, very pleasingly, this GET request successfully returned objects - and only those objects owned by the authenticated user.
I am only just learning about ACLs and relations, and this may either not be the best way to do it or it might be too permissive.
TrevorPage
on 9 Jan 2017
Hi @zsszatmari does the previous answer by @TrevorPage fix your issue? Thanks
loay
on 7 Mar 2017
Hi! Sorry but I don't know, the solution is likely good but came a little late for me so I've moved on and am not near a loopback project to actually try it out.
Thanks for everything.
zsszatmari
on 7 Mar 2017
@zsszatmari you are welcome. Let me know if you need any further assistance.
loay
on 7 Mar 2017
Related issues
bajtos
路
3Comments
futurus
路
3Comments
imasif
路
3Comments
nmklong
路
3Comments
crandmck
路
3Comments
Most helpful comment
@zsszatmari I just encountered exactly the same issue. For the sake of example imagine the objects are Reviews. Each Review is owned by your User 'subclass'. Now, what I found was that even though I had set up a simple ACL in my Review.json to permit $owner to READ their owned objects, the problem seems to be that the 'base' User has a default ACL to deny all. So, even though the owned object's ACL might permit the request when you do, say, GET /Reviews/id where the id is the id of a Review owned by the authenticated user, doing GET /MyUser/Reviews/ to get all Reviews owned by the authenticated user won't work because of the default User ACL. What I just found was that if I added this ACL to my User object to permit READ operations by $owner:
.. "acls": [{ "accessType": "READ", "principalType": "ROLE", "principalId": "$owner", "permission": "ALLOW" }], ......then, very pleasingly, this GET request successfully returned objects - and only those objects owned by the authenticated user.
I am only just learning about ACLs and relations, and this may either not be the best way to do it or it might be too permissive.