From 5255120a22e3dfff5fd9e26a1bc15deee28a8a4a Mon Sep 17 00:00:00 2001
From: zxvv <gitgub.com@murphey.org>
Date: Sat, 6 Sep 2014 19:05:32 -0500
Subject: [PATCH] Add an ACL to User, to allow everyone to execute
 User.passwordReset().

This is intended to permit users who have forgotten their
password, and are thus unauthenticated, to request a reset.

Credit goes to John Murphy who proposed the ACL in Google Groups here:
https://groups.google.com/forum/#!searchin/loopbackjs/passwordReset$20ACL/loopbackjs/UPyhg7KS-9k/_M_9-YpUKmIJ

Signed-off-by: Carey Richard Murphey <rich@murphey.org>
---
 lib/models/user.js | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/models/user.js b/lib/models/user.js
index c43d557f..3a38f8e4 100644
--- a/lib/models/user.js
+++ b/lib/models/user.js
@@ -93,6 +93,13 @@ var options = {
       model: 'AccessToken',
       foreignKey: 'userId'
     }
+  },
+  {
+    principalType: ACL.ROLE,
+    principalId: Role.EVERYONE,
+    permission: ACL.ALLOW,
+    property: "resetPassword",
+    accessType: ACL.EXECUTE
   }
 };