Manually enabling access control
If you created your app with slc loopback
, then you don't need to do anything to enable access control.
Otherwise, if you're adding access control manually, you must call the LoopBack enableAuth()
method, for example:
var loopback = require('loopback'); var app = loopback(); app.enableAuth();
Defining access control at runtime
In some applications, you may need to make changes to ACL definitions at runtime. There are two ways to do this:
- Call the DataSource method
createModel()
, providing an ACL specification (in LDL) as an argument. - The
ACL.create()
method. You can apply this at run-time.
Using DataSource createModel() method
You can also control access to a model by passing an LDL specification when creating the model with the data source createModel() method.
var Customer = loopback.createModel('Customer', { name: { type: String, // Property level ACLs acls: [ {principalType: ACL.USER, principalId: 'u001', accessType: ACL.WRITE, permission: ACL.DENY}, {principalType: ACL.USER, principalId: 'u001', accessType: ACL.ALL, permission: ACL.ALLOW} ] } }, { // By default, access will be denied if no matching ACL entry is found defaultPermission: ACL.DENY, // Model level ACLs acls: [ {principalType: ACL.USER, principalId: 'u001', accessType: ACL.ALL, permission: ACL.ALLOW} ] });
For more information on LDL, see LoopBack Definition Language (LDL).
Using the ACL create() method
ACLs defined as part of the model creation are hard-coded into your application. LoopBack also allows you dynamically defines ACLs through code or a dashboard. The ACLs can be saved to and loaded from a database.
ACL.create({principalType: ACL.USER, principalId: 'u001', model: 'User', property: ACL.ALL, accessType: ACL.ALL, permission: ACL.ALLOW}, function (err, acl) {...}); ACL.create({principalType: ACL.USER, principalId: 'u001', model: 'User', property: ACL.ALL, accessType: ACL.READ, permission: ACL.DENY}, function (err, acl) {...});
See Using built-in models for more information.
Can we provide a short example here to complement what's in API reference?
Architecture
The following diagram illustrates the architecture of the LoopBack access control system.