Piu130 Piu130 - 6 months ago 43
Node.js Question

loopback-component-storage acl 401 error

The container Model looks like this:

{
"name": "container",
"base": "Model",
...
"acls": [
{
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "DENY",
"accessType": "*"
},
{
"principalType": "ROLE",
"principalId": "admin",
"permission": "ALLOW",
"accessType": "WRITE"
}
]
}


When I post an image to it it returns a 401 error. I'm sure that I'm logged in as an 'admin' user because I make two requests with the same access token and the same acl in the json model. For the first (not container) it works, but for the containers one not.

Is there a problem with the container ACL?

-----Edit-----

Starting with DEBUG=loopback:security:acl it returns:

---ACL---
model container
property *
principalType ROLE
principalId $everyone
accessType *
permission DENY
with score: 7495
---ACL---
model container
property *
principalType ROLE
principalId admin
accessType WRITE
permission ALLOW
with score: -1


"property": "*"
is default in acl.

For the first request (not container) it returns the same but admin-write-allow has o higher score than $everyone-*-deny.

Setting
"score": -2
doesn't work.

Answer

You are not defining a property (a method basically), so I guess the ACl resolution gives higher weight to your first then second.

"acls": [
{
  "principalType": "ROLE",
  "principalId": "$everyone",
  "permission": "DENY",
  "accessType": "*"
},
{
  "principalType": "ROLE",
  "principalId": "admin",
  "property": "*", // Add this line
  "permission": "ALLOW",
  "accessType": "WRITE"
}
]

But then, ACL can be tough to figure out sometimes. I would recommend using debug string to see exactly what the ACL system has resolved:

On windows:

set DEBUG=loopback:security:acl && node .

EDIT:

The issue was actually coming from the accessType (requested endpoint was EXECUTE instead of WRITE), thus ACL not resolved as expected.