fullcube / loopback-component-access-groups Goto Github PK
View Code? Open in Web Editor NEWAccess controls for Loopback.
Access controls for Loopback.
Your component is great but I run into crashes when I use the mongodb connector.
It happens when trying to call set()
on a null
object returned from this.app.loopback.getCurrentContext()
https://github.com/fullcube/loopback-component-access-groups/blob/master/lib/utils.js#L298
To reproduce it you can change the datasource in your simple-app using this configuration:
{
"db": {
"host": "127.0.0.1",
"port": 27017,
"database": "group-access-test",
"name": "db",
"connector": "mongodb"
}
}
There are many issues on loopback's github project about mongodb and getCurrentContext()
, they are probably related, but they are all "Closed".
strongloop/loopback#885
strongloop/loopback#809
and more
Using the memory connector works fine.
I am using the latest packages:
"loopback": "^2.29.1",
"loopback-boot": "^2.21.0",
"loopback-component-access-groups": "^0.2.0",
"loopback-connector-mongodb": "^1.15.2",
"loopback-datasource-juggler": "^2.47.0",
Branch | Build failing π¨ |
---|---|
Dependency | chai |
Current Version | 4.1.0 |
Type | devDependency |
This version is covered by your current version range and after updating it in your project the build failed.
As chai is βonlyβ a devDependency of this project it might not break production or downstream projects, but βonlyβ your build or test tools β preventing new deploys or publishes.
I recommend you give this issue a high priority. Iβm sure you can resolve this πͺ
This release includes a few bug and documentation fixes.
.instanceof
to allow DOM interfaces in IE11 (#1000, #1008; @meeber).include
to work with all objects (#1009, #1012; @meeber)The new version differs by 10 commits.
02ddebd
Merge pull request #1019 from meeber/release-4.1.1
ac48db3
[email protected]
d2e9599
Merge pull request #1016 from chaijs/fix-reindent-code-1014
92d2cca
docs: re-indent hasAnyKeys code
b625497
Merge pull request #1012 from meeber/fix-include-types
8fa24f2
Merge pull request #1014 from zenHeart/fix-hasAnyKeys-comment
113a5b8
fix: correct hasAnyKeys comment error
c01cf30
fix: .include
to work with all objects
1847ef8
Merge pull request #1008 from meeber/fix-ie11-instanceof
c107abb
fix: .instanceof
to allow DOM interfaces in IE11
See the full diff
There is a collection of frequently asked questions and of course you may always ask my humans.
Your Greenkeeper Bot π΄
Currently it's left to users to define their GroupAccessModel. It would be better if this model was initialized automatically if it doesn't already exist.
Hello,
Do you plan to adjust this package to be usable with Loopback 3.x ? That would mainly mean refactoring the code to use options
propagation rather than deprecated LoopBack current-context APIs (see documentation for details).
Hi, I need to work with the following relations instead:
User -> belongsTo -> Groups
Group -> hasMany -> Users
How can I override to these relations in the component configuration options?.
Thanks in advance.
In my scenario I want to use the component to have two levels of access groups.
When we have multiple users using system at the same time the this.getCurrentUser
call will often return the wrong value.
It seems that getCurrentContext has several issues listed in the loopback github issues and google groups. I'm curious if you've experienced this at all or have any suggestions on how to resolve it?
Hi,
can it be done without getCurrentContext?
ty
Branch | Build failing π¨ |
---|---|
Dependency | supertest |
Current Version | 3.2.0 |
Type | devDependency |
This version is covered by your current version range and after updating it in your project the build failed.
supertest is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.
#509 - Fix #486, bug in _assertBody, switch to deepStrictEqual
(thanks @mikelax)
#510 - Refactor test files to use const/let (thanks @rimiti)
The new version differs by 10 commits.
e910e85
chore: Prepare for v3.3.0 release.
bd864de
Merge pull request #511 from visionmedia/bugfix-486-equal
101fbf5
Merge branch 'master' into bugfix-486-equal
04230bb
Merge pull request #510 from visionmedia/refact-const-let
510a7ae
bugfix: 486 Change method to use deepStrictEqual. (#509)
913150d
chore(.editorconfig) [*.md] block removed
82e0828
refact(test/supertest.js) vars replaced by const and let
5443136
chore(.editorconfig) configuration file created
7233ba6
chore(.eslintrc) parserOptions option added to use es6
322ebf6
bugfix: 486 Change method to use deepStrictEqual.
See the full diff
There is a collection of frequently asked questions. If those donβt help, you can always ask the humans behind Greenkeeper.
Your Greenkeeper Bot π΄
Hello and thanks for your module.
if we customize the name of the team model the code will die due to the following line
app.models.Team.find({ in the user-context.js file.
You are using bluebird but you are not requiring it in the user context. Fot that reason is failing witht he message : TypeError: Promise.join is not a function
Adding var Promise = require("bluebird");
solves the issue.
if (ctx.options.skipAccess) {
debug('skipAccess: true - skipping access filters');
return next();
}
// Do not filter if the request is being made against a single model instance.
if (_get(ctx.query, 'where.id')) {
debug('looking up by Id - skipping access filters');
return next();
}
These two access bypass mechanisms are undocumented and could expose data to unauthorised users.
Hi there, is there a way to bypass group access control for specific user(s) so they could access all content?
I've considered several ideas such as filtering all requests for particular users but haven't been able to get a working solution.
Any help would be appreciated!
Is it possible to use the group roles to restrict access to the Group model itself? I.e. if I want to store data in my GroupModel and restrict access to GroupRoles, e.g. member only read, admin read/write, I need to be able to use the GroupRoles in the ACL of my GroupModel. Is that possible?
If I understood correctly, I can only use the GroupRoles in ACL of models which have a belongTo relation to the GroupModel, but not the GroupModel itself?
So then I would have to create an addition model with a one-to-one relation to the GroupModel and store my group data there?
In the simple-app component-config.js file a "groupAccessModels" property is defined. It does not appear to serve any purpose.
It should be removed to avoid confusion.
I'm working in a project where we have two User models. When I logged in with a user that isn't specified as userModel in component-config.json
, the /lib/middleware/user-context.js
throws an Error in line 33
that, I think, shouldn't being throw.
how should i implement this using custom user
model [Persisted Model].
while using third party[Auth0] for login/signup.
we after storing user details, without password in our user
[persisted model] .
Love the idea of this library, thanks for making it available.
I hope I'm missing something but it looks like you can PUT and POST invoices within your own team using the storeMemberA user if you send the id
and invoiceId
properties?
it('should not create a teams invoice with id props', function() {
return logInAs(user.username)
.then(res => json('post', `/api/invoices?access_token=${res.body.id}`)
.send({ storeId: 'A', name: 'A invoice', invoiceNumber: 123, id: 123 })
.expect(401))
})
returns 200
Even worse it looks like you can do the same across teams if you include the same properties.
it('should not create another teams invoice with id props', function() {
return logInAs(user.username)
.then(res => json('post', `/api/invoices?access_token=${res.body.id}`)
.send({ storeId: 'B', name: 'A invoice', invoiceNumber: 223, id: 223 })
.expect(401))
})
it('should not create another teams invoice with id prop', function() {
return logInAs(user.username)
.then(res => json('put', `/api/invoices?access_token=${res.body.id}`)
.send({
id: 21234,
storeId: 'B',
invoiceNumber: 21234,
})
.expect(401))
})
both return 200
I've updated the rest-test.js file in this branch which highlight the issue here https://github.com/hbbh/loopback-component-access-groups/tree/test-create-upsert-permissions
It's probably my phat-hands, but it would be good to get another pair of eyes on it.
Currently users are required to setup the middleware components manually. This could be done automatically.
The following is the error I receive while trying to install loopback-component-access-groups just after installing StrongLoop Loopback and creating a brand new LoopBack API project.
Jamess-MacBook-Pro:loopback-access-groups jameseisenlohr$ npm install --save loopback-component-access-groups
npm WARN peerDependencies The peer dependency loopback@>=2.25.0 included from loopback-component-access-groups will no
npm WARN peerDependencies longer be automatically installed to fulfill the peerDependency
npm WARN peerDependencies in npm 3+. Your application will need to depend on it explicitly.
npm ERR! Darwin 14.5.0
npm ERR! argv "/usr/local/bin/node" "/usr/local/bin/npm" "install" "--save" "loopback-component-access-groups"
npm ERR! node v4.4.7
npm ERR! npm v2.15.8
npm ERR! code EPEERINVALID
npm ERR! peerinvalid The package [email protected] does not satisfy its siblings' peerDependencies requirements!
npm ERR! peerinvalid Peer [email protected] wants loopback@>=2.25.0
npm ERR! Please include the following file with any support request:
npm ERR! /Users/jameseisenlohr/Tests/loopback-access-groups/npm-debug.log
Jamess-MacBook-Pro:loopback-access-groups jameseisenlohr$
Any suggestions and help would be appreciated.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.