Access control not enforced

[74monkeys]

I got the app up and running and then request the transactions from the test data user (1) using curl - so I am not passing a token, so I am not authenticated.
It happily returns all the transaction, which it shouldn't

$ curl http:https://0.0.0.0:4000/api/users/1/transactions
[
{
"id": 1,
"userId": 1,
"accountId": 1,
"pos": "Gas and Test",
"credit": 8283.81,
"time": "2013-01-12T13:52:23.826Z"
},
{
"id": 2,
"userId": 1,
"accountId": 1,
"pos": "Jasmine Tea",
"debit": 236.76,
"time": "2013-03-09T06:35:51.862Z"
},
...

[74monkeys]

Some more info:

If I remove the following acl's then the access control works:
It's as if the property is not been read so it is interpreted as allowing all access.

{
"accessType": "",
"permission": "ALLOW",
"principalType": "ROLE",
"property": "findById",
"principalId": "$owner"
},
{
"accessType": "",
"permission": "ALLOW",
"principalType": "ROLE",
"property": "updateAttributes",
"principalId": "$owner"
},
{
"accessType": "*",
"permission": "ALLOW",
"principalType": "ROLE",
"property": "logout",
"principalId": "$everyone"
}

[ritch]

@74monkeys Thanks for the report. I'm marking this as a bug and opening up a related bug in the loopback repo:

strongloop/loopback#115

[crandmck]

As strongloop/loopback#115 has been closed, I'm going to close this as well.