如何使用checkAccessForContext在环回

Question

我

通用/模型/ list.json

... 
    "acls": [ 
    { 
     "accessType": "*", 
     "principalType": "ROLE", 
     "principalId": "$everyone", 
     "permission": "DENY" 
    }, 
    { 
     "accessType": "READ", 
     "principalType": "ROLE", 
     "principalId": "$authenticated", 
     "permission": "ALLOW", 
     "property": "find" 
    }, 
    { 
     "principalType": "ROLE", 
     "principalId": "$authenticated", 
     "permission": "ALLOW", 
     "property": "create" 
    }, 
    { 
     "accessType": "*", 
     "principalType": "ROLE", 
     "principalId": "$owner", 
     "permission": "ALLOW" 
    } 
    ], 
... 

当我得到/lists/{id}与id 1（我的令牌是这个名单所有者）我有我的列表与200响应。没关系。

但是，当我拨打电话的应用

app.models.ACL.checkAccessForContext({ 
       principals: [{ 
       type: 'ROLE', 
       id: '$owner' 
       }], 
       model: 'List', 
       id: 1, 
       property: '*', 
       accessType: 'READ' 
      }, (error, request) => { 
       console.log(request); 
      }); 

我有request.permission === 'DENY'。为什么发生了？ 我是否传递正确的校长？

感谢您的任何帮助。

Answer 1

你的代码没问题。这是回环中的一个bug(#2153)。我为它做了一个pull request。现在，您可以对该方法进行猴子修补，直到bug修复被合并：

const { AccessRequest } = require('loopback/lib/access-context'); 

ACL.resolvePermission = function resolvePermission(acls, req) { 
    if (!(req instanceof AccessRequest)) { 
     req = new AccessRequest(req); 
    } 
    // Sort by the matching score in descending order 
    acls = acls.sort(function(rule1, rule2) { 
     return ACL.getMatchingScore(rule2, req) - ACL.getMatchingScore(rule1, req); 
    }); 
    var permission = ACL.DEFAULT; 
    var score = 0; 

    for (var i = 0; i < acls.length; i++) { 
     var candidate = acls[i]; 
     score = ACL.getMatchingScore(candidate, req); 
     if (score < 0) { 
     // the highest scored ACL did not match 
     break; 
     } 
     if (!req.isWildcard()) { 
     // We should stop from the first match for non-wildcard 
     permission = candidate.permission; 
     break; 
     } else { 
     if (req.exactlyMatches(candidate)) { 
      permission = candidate.permission; 
      break; 
     } 
     // For wildcard match, find the strongest permission 
     var candidateOrder = AccessContext.permissionOrder[candidate.permission]; 
     var permissionOrder = AccessContext.permissionOrder[permission]; 
     if (candidateOrder > permissionOrder) { 
      permission = candidate.permission; 
      //@issuehere 
      break; //This is the fix 
     } 
     } 
    } 

    if (debug.enabled) { 
     debug('The following ACLs were searched: '); 
     acls.forEach(function(acl) { 
     acl.debug(); 
     debug('with score:', acl.score(req)); 
     }); 
    } 

    var res = new AccessRequest(req.model, req.property, req.accessType, 
     permission || ACL.DEFAULT); 
    return res; 
    };