Permalink
Fetching contributors…
Cannot retrieve contributors at this time
101 lines (100 sloc) 4.09 KB
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>LoopBack example access control</title>
</head>
<body>
<h1>Startkicker<% if (typeof username !== 'undefined') { %> - Welcome <%=
username %><% } %></h1>
<table border=1 cellpadding=5>
<tr>
<th>Function</th>
<th>Description</th>
<th>Endpoint</th>
<th>Permissions</th>
<th>Roles</th>
<th>Information</th>
</tr>
<tr>
<td><a href="/api/projects/list-projects">List projects</a></td>
<td>Anyone can list public project info (no balance property)</td>
<td>GET /api/projects/list-projects</td>
<td>$everyone, $unauthenticated, $authenticated</td>
<td>Guest, team member, owner, administrator</td>
<td>This endpoint is a remote method with a static ACL set to allow
access for all users (using the built-in role $everyone).</td>
</tr>
<tr>
<td><a href="/api/projects<% if (typeof accessToken !== 'undefined') {
%>?access_token=<%= accessToken %><% } %>">View all
projects</a></td>
<td>Only administrators can view all projects</td>
<td>GET /api/projects</td>
<td>admin</td>
<td>Administator</td>
<td>This REST endpoint is generated from the `slc loopback:model`
command. We create a custom role named "admin" and a role mapping to
set Bob as a "admin". We then apply the ACL to restrict access to only
admins via the `slc loopback:acl` command.</td>
</tr>
<tr>
<td><a href="/api/projects/1<% if (typeof accessToken !== 'undefined')
{ %>?access_token=<%= accessToken %><% } %>">Show balance for
project 1</a></td>
<td>Shows all fields for project 1</td>
<td>GET /api/projects/1</td>
<td>teamMember, $owner</td>
<td>Team member, owner</td>
<td>Also a built-in REST endpoint generated from the `slc
loopback:model` command. We register a custom role resolver here and
use the provided access token to figure out if the request is from a
team member and provide or deny access accordingly.</td>
</tr>
<tr>
<td>
<form action="/api/projects/donate<% if (typeof accessToken !==
'undefined') { %>?access_token=<%= accessToken %><% } %>"
method="post">
<label for="amount">Donate</h2>
<input type="hidden" name="id" value="1">
<input type="text" name="amount" value="100">
<input type="submit" value="Submit">
</form>
</td>
<td>Donate money (default $100) to project 1</td>
<td>POST /api/projects/donate</td>
<td>$authenticated</td>
<td>Team member, owner, admin</td>
<td>A remote method that takes an argument (the amount of money to
donate). We add an ACL that restricts access to any authenticated
user (guests are not allowed to donate).</td>
</tr>
<tr>
<td>
<form action="/api/projects/withdraw<% if (typeof accessToken !==
'undefined') { %>?access_token=<%= accessToken %><% } %>"
method="post">
<label for="amount">Withdraw</h2>
<input type="hidden" name="id" value="1">
<input type="text" name="amount" value="100">
<input type="submit" value="Submit">
</form>
</td>
<td>Withdraw money (default $100) from project 1</td>
<td>POST /api/projects/withdraw</td>
<td>$owner</td>
<td>owner</td>
<td>Another remote method similar to donate, but substracts money from
the balance instead of adding to it. Only the project owner is allowed
to withdraw. We enforce this using `slc loopback:acl` to generate an
ACL restricting access to $owner.</td>
</tr>
<tr>
<td colspan=6><a href="/logout<% if (typeof accessToken !==
'undefined') { %>?access_token=<%= accessToken %><% } %>">Log
out</a></td>
</tr>
</table>
</body>
</html>