环回允许所有用户访问只有所有者才能看到的内容
Loopback allowing all users to access something that only the owner should see
在我的环回应用程序中,我有两个模型:user
和 thing
。
基本上thing
属于user
,只有拥有者才能访问thing
。这是我的 thing.json
文件的样子:
{
"name": "thing",
"base": "PersistedModel",
"idInjection": true,
"options": {
"validateUpsert": true
},
"properties": {
"name": {
"type": "string",
"required": true
}
},
"validations": [],
"relations": {
"user": {
"type": "belongsTo",
"model": "user",
"foreignKey": "userId",
"primaryKey": "id"
}
},
"acls": [
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "DENY"
},
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$owner",
"permission": "ALLOW"
},
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$unauthenticated",
"permission": "DENY"
}
],
"methods": {}
}
发生的情况是,如果我在允许某些角色之前像我现在所做的那样拒绝所有人,则不允许任何人访问或创建内容,但如果我删除该行,所有用户都可以访问所有内容。我错过了什么?我希望只有所有者能够访问他们自己的东西。
谢谢!
来自环回documentation
To qualify a $owner, the target model needs to have a belongsTo relation to the User model (or a model that extends User) and property matching the foreign key of the target model instance. The check for $owner is performed only for a remote method that has ‘:id’ on the path, for example, GET /api/users/:id.
在我的环回应用程序中,我有两个模型:user
和 thing
。
基本上thing
属于user
,只有拥有者才能访问thing
。这是我的 thing.json
文件的样子:
{
"name": "thing",
"base": "PersistedModel",
"idInjection": true,
"options": {
"validateUpsert": true
},
"properties": {
"name": {
"type": "string",
"required": true
}
},
"validations": [],
"relations": {
"user": {
"type": "belongsTo",
"model": "user",
"foreignKey": "userId",
"primaryKey": "id"
}
},
"acls": [
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "DENY"
},
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$owner",
"permission": "ALLOW"
},
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$unauthenticated",
"permission": "DENY"
}
],
"methods": {}
}
发生的情况是,如果我在允许某些角色之前像我现在所做的那样拒绝所有人,则不允许任何人访问或创建内容,但如果我删除该行,所有用户都可以访问所有内容。我错过了什么?我希望只有所有者能够访问他们自己的东西。
谢谢!
来自环回documentation
To qualify a $owner, the target model needs to have a belongsTo relation to the User model (or a model that extends User) and property matching the foreign key of the target model instance. The check for $owner is performed only for a remote method that has ‘:id’ on the path, for example, GET /api/users/:id.