控制访问StrongLoop中模型的最佳解决方案 [英] The best solution for control access to models in strongLoop

问题描述

我是StrongLoop的新手. 我有2个模型(CustomUser和Item). 我希望任何CustomUser都可以访问他的Items. 我不想使用StrongLoop公开的默认API，因为我不希望CustomUsers能够使用这些API定义过滤器. 我定义了基于内部过滤器返回项目的RemoteMethod. 我的问题: 我应该检查当前用户并返回其相关项目，还是可以在StrongLoop中使用ACL? 如果ACL是正确的答案，我应该在哪里插入我的RemoteMethod(CustomUser模型或Item模型)以及如何定义使用ACL的正确设置?

I'm new in StrongLoop. I have 2 models(CustomUser and Item). I want any CustomUser has access to his Items. I don't want use default APIs exposed by StrongLoop because i don't want CustomUsers able to define filter with these APIs. I define my RemoteMethod that returns items based on a internal filter. My question: Should i check current user and return his related items or can i use ACL in StrongLoop for this matter? If the ACL is correct answer, where should i insert my RemoteMethod(CustomUser model or Item model) and how to define correct settings for use of ACL?

推荐答案

是的，有可能.环回非常灵活.

Yes,it's possible. Loopback is very flexible.

当然，您问了两个不同的问题.

Of course, you asked 2 different question.

1. 如何在api中禁用应用"where"过滤器.
2. CustomUser如何仅访问其项目.

---

对于第一个问题，您可以使用环回挂钩并根据需要设置过滤器.这样，您就不必强迫编写新的远程方法.

---

For the first question, you can use loopback hooks and set where filters based on whatever you want.in this way, you don't compel to write new remote method.

Item.observe('access', function limitToTenant(ctx, next) {
 ...
 ctx.query.where.tenantId = loopback.getCurrentContext().tenantId;
...
 next();
});

---

对于下一个问题，您必须像这样在两个模型中使用一些ACL和关联:

---

And for next question you must use some acls and relations for your two models like this:

首先，禁用访问Item.json模型中的所有远程方法.

First, disable to access all remote methods in Item.json model.

"acls": [
 {
  "accessType": "*",
  "principalType": "ROLE",
  "principalId": "$everyone",
  "permission": "DENY"
 }
]

模型中的

下一步定义可以使用Item模型的哪些方法:

next in CustomUser.json model define which methods of Item model can be used:

"acls": [
    {
    "principalType": "ROLE",
    "principalId": "$owner",
    "permission": "ALLOW",
    "property": "__create__items"
    },
    {
    "principalType": "ROLE",
    "principalId": "$owner",
    "permission": "ALLOW",
    "property": "__get__items"
    },
    {
    "principalType": "ROLE",
    "principalId": "$owner",
    "permission": "ALLOW",
    "property": "__count__items"
    }
    ...
]

接下来，定义CustomUser和Item模型之间的关系.

next, define a relation between CustomUser and Item model.

"relations": {
    "customUser": {
    "type": "belongsTo",
    "model": "CustomUser",
    "foreignKey": "ownerId"
    }
}

在CustomUser.json中:

"relations": {
    "items": {
    "type": "hasMany",
    "model": "Item",
    "foreignKey": "ownerId"
    }    
}

然后创建新用户并使用接收到的accessToken登录，并保留userId用于后续步骤.

Then create new user and login with received accessToken and keep userId for next steps.

现在，如果您要发布新商品，则可以使用此api.

Now if you want to post new Item you can use this api.

POST (items data) : api/CustomUser/{userId}/items/

要获得他的物品，您可以使用:

And to get his items you can use:

GET : api/CustomUser/{userId}/items/

通过这种方式，ownerId将自动保存在Item模型中，并且其他每个用户都无法访问他的Items.

In this way ownerId will be saved automatically in Item model and each other users can't access his Items.

这篇关于控制访问StrongLoop中模型的最佳解决方案的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！