ACL Support #34
Comments
|
I am looking into it. The one approach that might work is using strong remoting to access the data, hence ACL will work. |
|
Yup that's the one approach I was looking into earlier this week but was lacking time to test it correctly and ended up using something like this: function checkACL({accessToken, id, model, method}) {
return new Promise((resolve, reject) => {
ACL.checkAccessForContext({
accessToken,
model,
property: method,
method, method,
modelId: id,
}, (err, res) => {
if (err)
reject(err);
else if (res.permission !== ACL.DENY)
resolve(res);
else
reject('Authorization Required');
});
});One resolver amongst others : return checkACL({accessToken: req.accessToken, model: 'map', method: '__get__markers', id: map.id})
.then(() => app.models.map.findById(map.id))
.then(map => map.markers.getAsync());This was a prototype project, it works but not the best solution at all since this logic is one layer too high. It should be in the logic layer, not the graphql resolver. |
|
Any update on this? This project looks amazing but I don't think I would be able to use it without ACL support :/ Happy to help out if required :) |
|
Feel free to suggest a PR
…On Thu, Apr 6, 2017, 16:12 Tim Perry ***@***.***> wrote:
Any update on this? This project looks amazing but I don't think I would
be able to use it without ACL support :/ Happy to help out if required :)
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#34 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AHC0jyze5ixmsw_3YajDkrsneU5-7Irpks5rtOTXgaJpZM4L--G9>
.
|
|
Hi there! I was working on implementing ACLs in loopback-graphql the last two days. Finally I almost have a working thing. Probably is not the best solution, but @LancelotP give me the idea. Please, let me know what do you think. I'm working only with findOne execution by the moment. I wrote this checkACL function for testing: This function resolves a promise with the result of findById if the token is allowed and rejects with an error or null when not allowed or in case of error. Then I've modified the findOne function: As you can see I'm getting the access token from the request, then I return the checkACL promise. checkACL can validate if a token is allowed to access the resource. The fact is when the token is allowed the query is executed correctly. But, in the case that the token is not allowed, proper response would be a 403 forbidden. Now I just get this: I don't have any idea on how to change the statusCode from loopback-graphql. DOn't know even if it's possible. Do you have any idea on how to manage this? Thank you in advance. |
|
I am looking into another (simpler) solution. Possibly calling the REST APIs which will automatically implement the ACL |
|
I already tried that @Tallyb ;)
Same results. The REST promise rejects and the result of the findOne
Promise does not fit with what is expected, so that's not the
solution, unless I implemented it wrong (thing that is perfectly possible :)
I'm dressing my code now. I will make a fork today or monday with my progress.
El vie., 21 jul. 2017 a las 10:51, Tally Barak (<[email protected]>)
escribió:
… I am looking into another (simpler) solution. Possibly calling the REST
APIs which will automatically implement the ACL
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#34 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABtJ-8BPTitom5WKWGJ0ZCS2PKvDnXnCks5sQGajgaJpZM4L--G9>
.
|
|
It's almost working, but I have a strange behavior checking permissions. I just opened a Issue in loopback: |
Hey !
I'm very interested in your project, I myself did an implementation of graphql inside loopback about 6 month ago on loopback 2.0 version. I've had troubles dealing with ACLs. I know it's in your roadmap, but do you have any ideas on how to implement them inside loopback-graphql ?
This project looks very promising !
The text was updated successfully, but these errors were encountered: