StrongLoop:POST访问未被阻止 [英] StrongLoop: POST access not being blocked
问题描述
我正在使用ACL规则来阻止所有用户的所有访问类型.它适用于GET访问,但不适用于POST访问.
I'm using ACL rules to block all types of accesses from all the users. It is working for GET access but it is NOT working for POST accesses.
有什么主意吗?
以下是代码和示例结果:
Here is the code and sample results:
/common/models/client.json
{
"name": "client",
"plural": "clients",
"base": "User",
"idInjection": true,
"properties": {},
"validations": [],
"relations": {},
"acls": [
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "DENY"
}
],
"methods": {}
}
获取访问错误(按预期运行,已被阻止):
CURL
curl -X GET --header "Accept: application/json" "http://localserver:8080/api/quants"
响应
{
"error": {
"name": "Error",
"status": 401,
"message": "Authorization Required",
"statusCode": 401,
"code": "AUTHORIZATION_REQUIRED",
"stack": "Error: Authorization Required\n at ...
}
}
POST错误,未阻止访问.无法正常工作.
CURL:
curl -X POST --header "Content-Type: application/json" --header "Accept: application/json" -d "{
\"email\": \"test@email.com\",
\"password\": \"abcd1234\"
}
" "http://localserver:8080/api/clients"
响应
{
"email": "test@email.com",
"id": "46b258078da5dtg1ji5809ww"
}
推荐答案
在提出解决方案之前,我将尽力解释不拒绝'create'(POST)方法的原因是什么.
Before suggesting solutions, I'll try to explain what's the cause of 'create' (POST) method to not be denied.
您的client模型是Loopback的User内置模型的子模型.
Your client model is a sub-model of Loopback's User built in model.
在这种情况下要记住的两个重要事项:
Two important things to keep in mind in this case:
ACL's defined in a sub-model are not overriding the base class ACL's, but merged to them.
根据ACL检查请求时,Loopback的算法为 closer 匹配赋予更高的权重.在这种情况下,更紧密的匹配是更具体的ACL定义. (请参考此处)
When a request is checked against ACLs, Loopback's algorithm gives the closer match higher weight. closer match in this specific case is a more specific ACL definition. (reference here)
现在,Loopback的User模型包含以下ACL :
Now, Loopback's User model contains the following ACL:
{
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "ALLOW",
"property": "create"
}
您定义的ACL
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "DENY"
// no specific property
}
不太具体,因此算法未选择.
为了解决该问题,您可以:
In order to solve the issue, you can:
-
添加用于拒绝创建的特定ACL:
Add specific ACL for denying creation:
{
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "DENY",
"property": "create"
}
删除允许从基本User模型创建的ACL(非常糟糕的解决方案,但是有效)
Remove the ACL allowing to create from the base User model (very bad solution, but works)
这篇关于StrongLoop:POST访问未被阻止的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
