Loopback: Role.id and Role.name mixup in resolving ACLs and Role.isInRole

Created on 9 Jan 2015  路  9Comments  路  Source: strongloop/loopback

The documentation for the ACL class states that the principalId for a Role should be "ID of the principal - such as appId, userId or roleId". When a role is resolved in ACL.checkAccessForContext we see that it is called with roleModel.isInRole(acl.principalId, ...
However, when looking at the documentation for Role.isInRole:

  /**
   * Check if a given principal is in the role
   *
   * @param {String} role The role name
   * @param {Object} context The context object
   * @callback {Function} callback
   * @param {Error} err
   * @param {Boolean} isInRole
   */
  Role.isInRole = function(role, context, callback)

And later on it is used as a name, not as an id: this.findOne({where: {name: role}} ...

I had hooked up all my ACLs to map on IDs, so I changed the code to use findById, and I could not find any other place that referred to it so that worked fine for me. Another option would be to change the calling code to use name, or have the find look for both name OR id.

As I don't know how you would like to have it, I figured I mention it to you guys without trying to provide a patch or something first.

Thanks for the great work and keep it up!

bug
Source
picture marcuspl

All 9 comments

@raymondfeng you are more familiar with ACLs than I am. Could you PTAL?

bajtos picture bajtos on 2 Jun 2016

@marcuspl Thank you for spotting this issue. We confirm with @raymondfeng that it should be role name. This should be a bug in code and not doc issue .

So we should pass in the principalName instead of the principalId
Do you want to provide a patch?
Thanks

```

    // Check role matches
    if (acl.principalType === ACL.ROLE) {
      inRoleTasks.push(function(done) {
        roleModel.isInRole(acl.principalId, context,
          function(err, inRole) {
            if (!err && inRole) {
              effectiveACLs.push(acl);
            }
            done(err, acl);
          });
      });

```

smartmouse picture smartmouse on 10 Feb 2017

I am removing the doc label as this is not really doc issue.

smartmouse picture smartmouse on 10 Feb 2017

@superkhau Who should we ping/assign this to now to ensure it doesn't get lost?

crandmck picture crandmck on 10 Feb 2017

@crandmck I believe @kjdelisle's team is on it according to the Slack convo's in their channel.

superkhau picture superkhau on 10 Feb 2017
👍1

Another option would be to change the calling code to use name...

@marcuspl Would you like to submit a patch instead? I can help get it landed quickly.

superkhau picture superkhau on 10 Feb 2017

FWIW, this may be related to #2420 and https://github.com/strongloop/loopback/pull/2975 /cc @ebarault.

bajtos picture bajtos on 15 Feb 2017

@superkhau I moved on a long time ago, don't even think I could find it anymore. Thanks though.

marcuspl picture marcuspl on 16 Feb 2017
👍1

I am closing this issue then. We can reopen it if we get more bug reports from our users.

bajtos picture bajtos on 26 Apr 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ian-lewis-cs picture ian-lewis-cs  路  4Comments
Overdrivr picture Overdrivr  路  3Comments
bajtos picture bajtos  路  4Comments
rkmax picture rkmax  路  3Comments
cajoy picture cajoy  路  4Comments