Prerequisites:
Recommended: Read LoopBack core concepts.
Page Contents
Note:
If you followed the previous step in the tutorial, go to Introducing access controls.
If you’re just jumping in, follow the steps below to catch up...
Get the app (in the state following the last article) from GitHub and install all its dependencies:
$ git clone https://github.com/strongloop/loopback-getting-started-intermediate.git
$ cd loopback-getting-started-intermediate
$ git checkout step3
$ npm install
LoopBack applications access data through models, so controlling access to data means putting restrictions on models; that is, specifying who or what can read and write the data or execute methods on the models. LoopBack access controls are determined by access control lists or ACLs. For more information, see Controlling data access.
You’re going to set up access control for the Review model.
The access controls should enforce the following rules:
Once again, you’ll use the lb tool, but this time you’ll use the acl sub-command; for each ACL, enter:
$ lb acl
The tool will prompt you to provide the required information, as summarized below.
Deny everyone all endpoints. This is often the starting point when defining ACLs, because then you can selectively allow access for specific actions.
? Select the model to apply the ACL entry to: (all existing models)
? Select the ACL scope: All methods and properties
? Select the access type: All (match all types)
? Select the role: All users
? Select the permission to apply: Explicitly deny access
Now allow everyone to read reviews.
? Select the model to apply the ACL entry to: Review
? Select the ACL scope: All methods and properties
? Select the access type: Read
? Select the role: All users
? Select the permission to apply: Explicitly grant access
Allow authenticated users to read coffeeshops; that is, if you’re logged in, you can view all coffeeshops.
? Select the model to apply the ACL entry to: CoffeeShop
? Select the ACL scope: All methods and properties
? Select the access type: Read
? Select the role: Any authenticated user
? Select the permission to apply: Explicitly grant access
Allow authenticated users to write a review; that is, if you’re logged in, you can add a review.
? Select the model to apply the ACL entry to: Review
? Select the ACL scope: A single method
? Enter the method name: create
? Select the role: Any authenticated user
? Select the permission to apply: Explicitly grant access
Now, enable the author of a review (its "owner") to make any changes to it.
$ lb acl
? Select the model to apply the ACL entry to: Review
? Select the ACL scope: All methods and properties
? Select the access type: Write
? Select the role: The user owning the object
? Select the permission to apply: Explicitly grant access
When you’re done, the ACL section in common/models/review.json should look like this:
...
"acls": [{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "DENY"
}, {
"accessType": "READ",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW"
}, {
"accessType": "EXECUTE",
"principalType": "ROLE",
"principalId": "$authenticated",
"permission": "ALLOW",
"property": "create"
}, {
"accessType": "WRITE",
"principalType": "ROLE",
"principalId": "$owner",
"permission": "ALLOW"
}],
...
Next: Continue to Define a remote hook.