loopback ACL for user model

Question

I'm using loopback to create a simple API for a SPA website. I want to keep my permissions as simple as possible, so I ended up with a following ACL model

• all permissions are denied by default
• some methods in several models are allowed for everyone
• all methods are allowed for any authorized user

this will obviously work if I will create several users and no one will be able to create or modify users anymore. As I can't explicitly change permissions for built-in User model, I created an admin model, that extends User. Then I set public property of User model to false. I set the following ACL rules

{
  "accessType": "*",
  "principalType": "ROLE",
  "principalId": "$everyone",
  "permission": "DENY"
},
{
  "accessType": "EXECUTE",
  "principalType": "ROLE",
  "principalId": "$everyone",
  "permission": "ALLOW",
  "property": "login"
},
{
  "accessType": "*",
  "principalType": "ROLE",
  "principalId": "$authenticated",
  "permission": "ALLOW"
}

as I see it, it should deny any unathorized user access to any methods other than login.

Unfortunately that is not how it works, anyone still can POST to /users and create new users. My guess is that ACL rules do not apply to inherited model, so rules for User are applied here. So I'm back to square one, I can't either change User permissions directly or override them.

What are my options here? Is there no way to prevent creating new users?

Answer 1

I was facing same issue few days ago and i found this solution. loopback default POST /Users rule is everyone can insert user. So your admin model inherited from User model thus rules are inherited too. We will have to override create permission in your admin model. Loopback User model Default permission for POST

Just put below object in acl in common/models/admin.json

...
 acl : [{
  "principalType": "ROLE",
  "principalId": "$everyone",
  "permission": "DENY",
  "property": "create"
},{
  "principalType": "ROLE",
  "principalId": "$authenticated",
  "permission": "ALLOW",
  "property": "create"
}]
...

Thus you first DENY access to $everyone by overriding default rule and set Rule for only $authenticated which will be able to post. You can set rule as per your requirements.

Answer 2

As it turned out, the rule specifics matter more than inheritance level. In this case, User model defines a rule specifically for create property. This rule takes precendence over a more general deny every property, even though the deny rule was defined in the extended admin model. So I had to take all allowed rules from User model and deny them explicitly in admin.