-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error "401 Authorization required" when querying methods involving relations #426
Comments
I have the same issue. I also think the 401 Unauthorized is a wrong response. I am authenticated, so it should be 403 forbidden. I'm opening a new issue for that. |
I think this has already been implemented: #301 |
This issue (#426) itself is not yet resolved. Defining an ACL on a relation property does not seem to work for me. |
I am having the exact same issue! I spent a few hours digging through anything I can find, but I still couldnt get it to work! |
@dagumak - can you post the ACL's you defined? |
@fabien I posted it here (#459 (comment)), but here it is:
|
I think the core User ACL's are interfering with the ACL's you defined. I recall the following from one of my projects, which overrides all the ACL's: TestUser.settings.acls = [
{ principalType: 'ROLE',
principalId: '$everyone',
permission: 'DENY' },
{ principalType: 'ROLE', // this is the important bit
principalId: '$owner',
permission: 'ALLOW' },
{ principalType: 'ROLE',
principalId: '$everyone',
permission: 'ALLOW',
property: 'create' },
{ principalType: 'ROLE',
principalId: '$owner',
permission: 'ALLOW',
property: 'deleteById' },
{ principalType: 'ROLE',
principalId: '$everyone',
permission: 'ALLOW',
property: 'login' },
{ principalType: 'ROLE',
principalId: '$everyone',
permission: 'ALLOW',
property: 'logout' },
{ principalType: 'ROLE',
principalId: '$owner',
permission: 'ALLOW',
property: 'findById' },
{ principalType: 'ROLE',
principalId: '$owner',
permission: 'ALLOW',
property: 'updateAttributes' },
{ principalType: 'ROLE',
principalId: '$everyone',
permission: 'ALLOW',
property: 'confirm' }
] |
@dagumak the very least you could do is trace your current TestUser.settings.acls to compare them. |
@fabien I feel silly for asking, but other than console log, how can I do that? On Tue, Aug 19, 2014 at 11:32 PM, Fabien Franzen notifications@github.com
|
@dagumak console.log is fine |
@fabien I am not very familiar with the framework yet, but where are the models loaded and a good place for me to console.log it? |
You can put the following into a file at /server/boot/debug.js: module.exports = function(app) {
var TestUser = app.loopback.getModel('TestUser');
console.log(TestUser.settings.acls);
}; |
You can run the application with DEBUG enabled: $ DEBUG=loopback:security:* node . Thanks, Raymond Feng StrongLoop makes it easy to develop APIs in Node, plus get DevOps capabilities like monitoring, debugging and clustering. On Aug 19, 2014, at 8:29 AM, Fabien Franzen notifications@github.com wrote:
|
@fabien Thanks a bunch! Here it is:
|
Is this resolved ? I am still having the same issue |
[ { principalType: 'ROLE', |
Something that helped me with ACL and relations is to run "DEBUG=loopback:security:* slc run" and then check the property it is trying to access. Example: |
Please create a test project on Github to reproduce the issue as per https://github.com/strongloop/loopback/wiki/Issues#bug-report |
@rubentorresbonet the acl that you defined with the property __get__orders is for which model? |
@rubentorresbonet Holy cow, that worked! I had to use the property
This was on a subclassed user model. The full thing looks like this now:
This can't possibly be the intended design. |
Agree with @jdhiro that from a design perspective, this is very uncomfortable. Would it not be better to introduce a single declaration in order to to set R/W/X privileges on a single relation, just as we can do for other built-in methods? |
By the way, the link to the documentation for accessing related models provided above is broken, the correct one is here: https://docs.strongloop.com/display/public/LB/Accessing+related+models |
I spent a few hours on this too. Doc is not clear. It should clearly mention that default is denied |
While trying CoffeeShop example given at https://docs.strongloop.com/display/LB/Getting+started+part+II I'm getting 401 only while editing the review. I've the ACLs defined as given @ https://docs.strongloop.com/display/public/LB/Define+access+controls So the following ACL entry is failing:
If I change $owner to $authenticated, then I don't get 401. So there seems to be some problem in isOwner().
|
@mike-aungsan I added a note to https://docs.strongloop.com/display/LB/Accessing+related+models#Accessingrelatedmodels-note. |
@crandmck Many Thanks |
Are you guys still running into issues? Can I close this? |
The design seems undesirable, but as long as the design is documented (and it looks like it is from @crandmck post), I don't see a problem closing it. I worked around it in my project -- no longer an immediate concern. |
@jdhiro Sounds good. Please open a new issue if you guys are still running into issues. Better yet, submit a patch and we can go from there. |
Yes - i do sorry for this question but how do I enable the debug view ? "You can run the application with DEBUG enabled: $ DEBUG=loopback:security:* node . " Thanks, |
What do you mean debug view? Run |
Hi, |
somebody can help me ? with the same themes ? |
if somebody can help me, I send the problem !!! |
Execuse me, but on gitter nobody responds, and I cant resolve the problem, I dont know what I can do !!! |
@emazzu @crandmck , i think this problem has come again in the latest repo. @raymondfeng , please look into it. This exposes the security loophole for the app in production. |
@emazzu , @crandmck @raymondfeng , this problem is only with custom access token. I reverted to loopback AccessToken model than it started working as intended. |
I've recently migrated an application to LoopBack 2.0.
All my models require user authentication and have these ACLs:
I have a model called
issues
. After logging in through the POST method/Users/login
:/issues
. I get a list of issues as expected;/issues/{id}/categories
), I get the error401 Authorization required
. The same model used to work in Loopback 1.0.Any clues?
The text was updated successfully, but these errors were encountered: