Deny on resource causes "Policy not found" issue.

Question

Deny on resource causes "Policy not found" issue.

Closed this issue 7 years ago · 3 comments

I’m exploring ACL solutions for a Node.js project and express-acl felt like the right choice. I installed it with npm and the first part of integration and just having a simple allow-everything admin user went pretty well. Then for the next user group I wanted to add restrictions for certain routes but seem to have run in to trouble with it. Hopefully this is just a pilot error on my part.

This is what my simple nacl.json looks like :

[
   {  
      "group":"admin",
      "permissions":[  
         {  
            "resource":"*",
            "methods":"*",
            "action":"allow"
         }
      ]
   },
   {  
      "group":"user1",
      "permissions":[  
         {  
            "resource":"admin",
            "methods":"*",
            "action":"deny"
         }
      ]
   }
]

There are no errors on startup and I want the user1 profile to have access to everything except for routes starting with “admin”. Things are fine if I just have one “allow” permissions entry (like for admin) but when I start specifying “deny” or multiple rules, it seems to have trouble parsing the json (?). I get the following response for a resource:

{"status":"Access denied","success":false,"message":"REQUIRED: Policy not found”}

It seems to complain about not being able to find the ‘user1’ policy group. I’ve seen the problem trying to use “deny” on a resource or while trying to use multiple permissions entries. I’m using Node.js v6.11.3 on MacOSX.

Thank you.

Answer 1 · 2017-10-03T01:30:21.000Z

@rvsingh-gpsw Thanks for raising this issue. I will look into it first thing in the morning. I will get back to you as soon as I can. Feel free to book my calendar if you need to pair on the same.

Answer 2 · 2017-10-04T00:21:03.000Z

I ended up looking closely at the authenticate method and realized the problem with using a 'deny' rule was that I had to explicitly allow the others. It was fortunately an easy enough change in terms for re-organizing the code directories in the project and I was able to achieve the working roles using the following config:

[
   {  
      "group":"admin",
      "permissions":[  
         {  
            "resource":"*",
            "methods":"*",
            "action":"allow"
         }
      ]
   },
 
   {  
      "group":"user1",
      "permissions":[  
         {  
            "resource":"admin",
            "methods":"*",
            "action":"deny"
         },
         {  
            "resource":"assets",
            "methods":"*",
            "action":"allow"
         },
         {  
            "resource":"js",
            "methods":"*",
            "action":"allow"
         },
         {  
            "resource":"api",
            "methods":["GET", "POST"],
            "action":"allow"
         }
      ]
   }
]

So looks like this works now and I am testing it but so far so good. Thanks again for the prompt response. And love the simplicity and neatness of the module. Keep up the awesome work.

Answer 3 · 2017-10-05T11:07:23.000Z

@rvsingh-gpsw Thanks for your contribution too. Any feedback on how We can improve the module and make it simpler will be appreciated.