Commit Graph

28 Commits

Author SHA1 Message Date
Farid Neshat d2d8fabb16 Fix acl.resolvePermission for wildcard req
When acl.resolvePermission was called with a request containing a
wildcard, it would return the matching acl with lowest score instead of
higher.

Fixes #2153
2017-09-27 02:48:34 +02:00
crandmck 9f8321ad61 Fix case of values per doc issue 2017-08-11 11:10:51 -07:00
Miroslav Bajtoš c5145bdf34
Add support for scoped access tokens
Define a new property `AccessToken.scopes` to contain the list of
scopes granted to this access token.

Define a new remote method metadata `accessScopes` to contain a list
of scope name required by this method.

Define a special built-in scope name "DEFAULT" that's used when
a method/token does not provide any scopes. This allows access
tokens to grant access to both the default scope and any additional
custom scopes at the same time.

Modify the authorization algorithm to ensure that at least one
of the scopes required by a remote method is allowed by the scopes
granted to the requesting access token.

The "DEFAULT" scope preserve backwards compatibility because existing
remote methods with no `accessScopes` can be accessed by (existing)
access tokens with no `scopes` defined.

Impact on existing applications:

 - Database schema must be updated after upgrading the loopback version

 - If the application was already using a custom `AccessToken.scopes`
   property with a type different from an array, then the relevant code
   must be updated to work with the new type "array of strings".
2017-04-07 13:04:40 +02:00
ebarault 8aa98a80ef Propagate authorized roles in remoting context
Adds an authorizedRoles object to remotingContext.args.options
which contains all the roles (static and dynamic) that are
granted to the user when performing a request through
strong-remoting to an app with authentication enabled.

The authorizedRoles object for example looks like:
{
  $everyone: true,
  $authenticated: true,
  myRole: true
}

NOTE: this pr also covers a number of jsdoc fixes as well
as refactoring in ACL.js and access-context.js
2017-03-20 12:29:33 +01:00
Eric 9fe084fffd Enable multiple user models
Allow LoopBack applications to configure multiple User models and share
the same AccessToken model.

To enable this feature:

1) In your custom AccessToken model:

 - add a new property "principalType" of type "string".
 - configure the relation "belongsTo user" as polymorphic,
   using "principalType" as the discriminator

2) In your User models:

 - Configure the "hasMany accessTokens" relation as polymorphic,
   using "principalType" as the discriminator

When creating custom Role and Principal instances, set your
User model's name as the value of "prinicipalType".
2017-02-02 09:42:30 +01:00
ebarault a63fad402e Add promise support to built-in model ACL 2017-01-31 14:09:43 +01:00
Miroslav Bajtoš acdfb432d0 Upgrade eslint config and grunt-eslint to latest
- disable ES6 because PhantomJS does not support it yet
 - fix linter errors reported after the upgrade.
2016-12-06 16:05:13 +01:00
Loay 06cb481c3f Update eslint to loopback config v5
Notable side-effects:
 - loopback no longer exports "caller" and "arguments" properties
 - kv-memory connector is now properly added to the connector registry
 - the file "test/support.js" was finally removed
2016-11-22 14:08:02 +01:00
Candy 640f3a8ca7 Update globalization structure 2016-09-22 11:58:00 +02:00
Benjamin Kroeger 4ff9a4c2ef streamline use if `self` 2016-08-25 12:51:51 +02:00
Benjamin Kroeger 01c1656fc2 resolve related models from correct registry
Also modify setup of test servers when ACL was used, force the app
to `loadBuiltinModels` with localRegistry.
2016-08-25 12:51:29 +02:00
Rand McKinney 01a9fa2ab2 Update acl.js
Fix typo in JS doc.
2016-08-16 10:14:17 -07:00
Candy b52a7217a9 Add globalization 2016-08-04 15:08:16 -04:00
Miroslav Bajtoš 98816217c9 test: use local registry in test fixtures
Use local registry in test fixtures to prevent collision in globally
shared models.

Fix issues discoverd in auth implementation where the global registry
was used instead of the correct local one.
2016-07-27 10:07:49 +02:00
Ryan Graham 6964914bab
update copyright statements 2016-05-03 15:50:21 -07:00
Miroslav Bajtoš f9702b0ace Use eslint with loopback config
Drop jshint and jscs in favour of eslint.

Fix style violations.

While we are at this, reduce the max line length from 150 to 100.
2016-04-06 10:45:30 +02:00
Raymond Feng 3eb8dd55f6 Add util methods to ACL and clean up related model resolutions 2015-08-13 08:58:41 -07:00
Miroslav Bajtoš 9c5fe088e3 AccessControl for change replication
1) Add integration tests running change replication over REST to verify
that access control at model level is correctly enforced.

2) Implement a new access type "REPLICATE" that allows principals
to create new checkpoints, even though they don't have full WRITE
access to the model. Together with the "READ" permission, these
two types allow principals to replicate (pull) changes from the server.

Note that anybody having "WRITE" access type is automatically
granted "REPLICATE" type too.

3) Add a new model option "enableRemoteReplication" that exposes
replication methods via strong remoting, but does not configure
change rectification. This option should be used the clients
when setting up Remote models attached to the server via the remoting
connector.
2015-04-07 19:53:58 +02:00
Ritchie Martori b9170751bc Add support for app level Model isolation
- `loopback.registry` is now a true global registry
 - `app.registry` is unique per app object
 - `Model.registry` is set when a Model is created using any registry method
 - `loopback.localRegistry` and `loopback({localRegistry: true})` when set to `true` this will create a `Registry` per `Application`. It defaults to `false`.
2015-04-03 11:48:45 -07:00
ulion 9f705139f8 Static ACL support array of properties now 2015-03-06 06:24:09 +08:00
crandmck a82b33ec5c Add docs for settings per #1069 2015-02-23 13:13:52 -08:00
Raymond Feng 563a06fa7e Make sure EXECUTE access type matches READ or WRITE
See https://github.com/strongloop/loopback/issues/1011
2015-01-14 13:38:44 -08:00
Miroslav Bajtoš dc762d2514 common: coding style cleanup 2014-11-04 13:52:49 +01:00
Miroslav Bajtoš 461ae92c1c models: move Role LDL def into a json file 2014-10-14 09:04:43 +02:00
Miroslav Bajtoš 7c01d59d80 models: move ACL LDL def into a json file 2014-10-14 09:04:43 +02:00
Miroslav Bajtoš ef890d5f26 models: move Scope def into its own files 2014-10-14 08:58:17 +02:00
Raymond Feng 242b44ed2b Skip static ACL entries that don't match the property 2014-10-13 16:45:36 -07:00
Miroslav Bajtoš 1fe0110849 Dismantle `lib/models`.
- Move core models `Model` and `PersistedModel` to `lib/`.
 - Move `AccessContext` class to `lib/`, since it is not a model.
 - Move all other built-in models to `common/models`.

This is a preparation for extracting model definitions to JSON files.
By splitting the change into multiple commits, git is able to keep track
of file moves (renames).
2014-10-13 12:09:27 +02:00