loopback object acl
1.0.0
Loopback提供了出色的“級別” ACL,用於限制對整個模型或其MEHOD的訪問,但極大地缺乏將單個對象訪問的能力。該項目試圖通過在每個對像上設置對象級ACL來解決此問題,並操縱Loopback的查詢以返回請求用戶可以訪問的對象。
Circleci:
可以說,我們希望3個用戶(ID:“ AAA”,ID:“ BBB”和ID:“ CCC”)的書籍對像只能閱讀(雙關語):
POST /api/books
{
"title" : "Clean Code" ,
"subtitle" : "A Handbook of Agile Software Craftsmanship" ,
"_acl" : {
"r_perm" : {
"users" : [ "aaa" , "bbb" , "ccc" ]
}
}
}混合物將解析要像Mongo一樣存儲的對象:
{
id : ObjectId ( "123" ) ,
title : "Clean Code" ,
subtitle : "A Handbook of Agile Software Craftsmanship" ,
r : {
u : [ "aaa" , "bbb" , "ccc" ]
g : [ ]
} ,
w : {
u : [ ] ,
g : [ ]
}
}現在,只能由具有“ AAA”,“ BBB”或“ CCC”的用戶訪問此對象,而沒有其他人。檢索時,混合物將再次解析物體的ACL:
GET /api/books/123
authorization: accessToken-aaa
返回:
{
"id" : "123"
"title" : "Clean Code" ,
"subtitle" : "A Handbook of Agile Software Craftsmanship" ,
"_acl" : {
"r_perm" : {
"users" : [ "aaa" , "bbb" , "ccc" ]
}
}
}而請求無權的要求導致:
GET /api/books/123
authorization: accessToken-ddd
返回:
404 Not found
要指定每個將可以訪問對象的用戶的用戶可能是笨拙且時間耗費的。這是小組派上用場的地方。
POST /api/books
{
"title" : "Clean Code" ,
"subtitle" : "A Handbook of Agile Software Craftsmanship" ,
"_acl" : {
"r_perm" : {
"groups" : [ "group-id-1" ]
}
}
}正如您可能猜到的那樣,現在可以通過用戶對像上的acl_groups中指定的group-id-1來訪問此對象。
如果user-id-1和user-id-2不在group-id-1中,則這些用戶可以以這種方式具有明確的訪問:
POST /api/books
{
"title" : "Clean Code" ,
"subtitle" : "A Handbook of Agile Software Craftsmanship" ,
"_acl" : {
"r_perm" : {
"groups" : [ "group-id-1" ] ,
"users" : [ "user-id-1" , "user-id-2" ]
}
}
}如果您在模型上安裝了混合蛋白,但在創建新對象時未指定$acl ,則對象可見性將是公開的,例如:
POST /api/books
{
"title" : "Clean Code" ,
"subtitle" : "A Handbook of Agile Software Craftsmanship"
}返回
{
"title" : "Clean Code" ,
"subtitle" : "A Handbook of Agile Software Craftsmanship" ,
"_acl" : {
"r_perm" : {
"groups" : [ "*" ] ,
"users" : [ "*" ]
} ,
"w_perm" : {
"groups" : [ "*" ] ,
"users" : [ "*" ]
}
}
} npm install --save loopback-object-acl
在model-config.json中添加../node_modules/loopback-object-acl到Mixins
"_meta" : {
"sources" : [
"loopback/common/models" ,
"loopback/server/models" ,
"../common/models" ,
"./models"
] ,
"mixins" : [
"loopback/common/mixins" ,
"loopback/server/mixins" ,
"../common/mixins" ,
"./mixins" ,
"../node_modules/loopback-object-acl"
]
}將ObjectAclController設置為您想要使用對象級ACL保護的任何模型:
book . json
{
"name" : "Book" ,
"base" : "PersistedModel" ,
"idInjection" : true ,
"options" : {
"validateUpsert" : true
} ,
"mixins" : {
"ObjectAclController" : { }
}
. . .
}此Mixins期望options對像上的currentUser對象。這不是默認的循環v3.x行為,必須在使用之前實現。
可以在此處找到實施:http://loopback.io//doc/en/lb3/ususe-current-context.html#use-a-custom-strong-remoting-phase-phase-phase
此Mixin僅通過Loopback v3.x進行測試,並將MongoDB用作DataSource
2.0版
