如何限制用户访问其他信息? 我有一个客户模型,默认情况下我可以通过角色限制访问,但所有“用户”角色都可以访问客户模型。我不希望其他人通过猜测其他身份证号码来访问其他人。只有支持角色才能自由访问所有信息。我该怎么做?
答案 0 :(得分:0)
ACL非常适合您的需求!
创建自定义用户,从基础LoopBack用户模型扩展:
$ slc loopback:model
? Enter the model name: BookUser
? Select the data-source to attach BookUser to: db (memory)
? Select model's base class User
? Expose BookUser via the REST API? Yes
? Custom plural form (used to build REST URL):
? Common model or server only? common
Let's add some BookUser properties now.
Enter an empty property name when done.
? Property name: Name
(!) generator#invoke() is deprecated. Use generator#composeWith() - see http://yeoman.io/authoring/composability.html
invoke loopback:property
? Property type: string
? Required? No
拒绝对/ Users的所有请求,然后明确授予您想要的内容。
<强>拒绝
$ slc loopback:acl
? Select the model to apply the ACL entry to: BookUser
? Select the ACL scope: All methods and properties
? Select the access type: All (match all types)
? Select the role All users
? Select the permission to apply Explicitly deny access
允许“所有者”(例如,登录的用户)findById
$ slc loopback:acl
? Select the model to apply the ACL entry to: BookUser
? Select the ACL scope: A single method
? Enter the method name findById
? Select the role The user owning the object
? Select the permission to apply Explicitly grant access
现在打开您的API资源管理器,并向用户POST两次,创建两个用户。
然后以第一个用户(id为1)登录,设置您的访问密钥。
尝试访问/ Users / 2(第二位用户)。
{
"error": {
"name": "Error",
"status": 401,
"message": "Authorization Required",
"statusCode": 401,
"code": "AUTHORIZATION_REQUIRED",
"stack": "Error: Authorization Required\n ..."
}
}
现在尝试访问/ Users / 1(当前登录的用户)。
{
"email": "someguy@somesite.com",
"id": 1
}