Deny on resource causes "Policy not found" issue.
Closed this issue · 3 comments
I’m exploring ACL solutions for a Node.js project and express-acl felt like the right choice. I installed it with npm and the first part of integration and just having a simple allow-everything admin user went pretty well. Then for the next user group I wanted to add restrictions for certain routes but seem to have run in to trouble with it. Hopefully this is just a pilot error on my part.
This is what my simple nacl.json looks like :
[
{
"group":"admin",
"permissions":[
{
"resource":"*",
"methods":"*",
"action":"allow"
}
]
},
{
"group":"user1",
"permissions":[
{
"resource":"admin",
"methods":"*",
"action":"deny"
}
]
}
]
There are no errors on startup and I want the user1 profile to have access to everything except for routes starting with “admin”. Things are fine if I just have one “allow” permissions entry (like for admin) but when I start specifying “deny” or multiple rules, it seems to have trouble parsing the json (?). I get the following response for a resource:
{"status":"Access denied","success":false,"message":"REQUIRED: Policy not found”}
It seems to complain about not being able to find the ‘user1’ policy group. I’ve seen the problem trying to use “deny” on a resource or while trying to use multiple permissions entries. I’m using Node.js v6.11.3 on MacOSX.
Thank you.
@rvsingh-gpsw Thanks for raising this issue. I will look into it first thing in the morning. I will get back to you as soon as I can. Feel free to book my calendar if you need to pair on the same.
I ended up looking closely at the authenticate method and realized the problem with using a 'deny' rule was that I had to explicitly allow the others. It was fortunately an easy enough change in terms for re-organizing the code directories in the project and I was able to achieve the working roles using the following config:
[
{
"group":"admin",
"permissions":[
{
"resource":"*",
"methods":"*",
"action":"allow"
}
]
},
{
"group":"user1",
"permissions":[
{
"resource":"admin",
"methods":"*",
"action":"deny"
},
{
"resource":"assets",
"methods":"*",
"action":"allow"
},
{
"resource":"js",
"methods":"*",
"action":"allow"
},
{
"resource":"api",
"methods":["GET", "POST"],
"action":"allow"
}
]
}
]
So looks like this works now and I am testing it but so far so good. Thanks again for the prompt response. And love the simplicity and neatness of the module. Keep up the awesome work.
@rvsingh-gpsw Thanks for your contribution too. Any feedback on how We can improve the module and make it simpler will be appreciated.