Chinese Documentation : Advanced topics: access control

Manually enabling access control

If you created your app with slc loopback, then you don't need to do anything to enable access control.   

Otherwise, if you're adding access control manually, you must call the LoopBack enableAuth() method, for example:

/server/server.js
var loopback = require('loopback');
var app = loopback();
app.enableAuth();

Defining access control at runtime

In some applications, you may need to make changes to ACL definitions at runtime.  There are two ways to do this:

  • Call the DataSource method createModel(), providing an ACL specification (in LDL) as an argument.  
  • The ACL.create() method.  You can apply this at run-time.

Using DataSource createModel() method

You can also control access to a model by passing an LDL specification when creating the model with the data source createModel() method.   

/server/boot/script.js
var Customer = loopback.createModel('Customer', {
      name: {
        type: String,
        // Property level ACLs
        acls: [
          {principalType: ACL.USER, principalId: 'u001', accessType: ACL.WRITE, permission: ACL.DENY},
          {principalType: ACL.USER, principalId: 'u001', accessType: ACL.ALL, permission: ACL.ALLOW}
        ]
      }
    }, {
      // By default, access will be denied if no matching ACL entry is found
      defaultPermission: ACL.DENY,
      // Model level ACLs
      acls: [
        {principalType: ACL.USER, principalId: 'u001', accessType: ACL.ALL, permission: ACL.ALLOW}
      ]
    });

For more information on LDL, see LoopBack Definition Language (LDL).

Using the ACL create() method

ACLs defined as part of the model creation are hard-coded into your application. LoopBack also allows you dynamically defines ACLs through code or a dashboard. The ACLs can be saved to and loaded from a database.

/server/boot/script.js
ACL.create({principalType: ACL.USER, principalId: 'u001', model: 'User', property: ACL.ALL,
    accessType: ACL.ALL, permission: ACL.ALLOW}, function (err, acl) {...});
 
ACL.create({principalType: ACL.USER, principalId: 'u001', model: 'User', property: ACL.ALL, 
	accessType: ACL.READ, permission: ACL.DENY}, function (err, acl) {...});

 

See Using built-in models for more information.

REVIEW COMMENT from $paramName
Can we provide a short example here to complement what's in API reference?

Architecture

The following diagram illustrates the architecture of the LoopBack access control system.