This repository has been archived by the owner on Apr 18, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 172
Access control not enforced #2
Comments
Some more info: If I remove the following acl's then the access control works: { |
@74monkeys Thanks for the report. I'm marking this as a bug and opening up a related bug in the loopback repo: |
As strongloop/loopback#115 has been closed, I'm going to close this as well. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I got the app up and running and then request the transactions from the test data user (1) using curl - so I am not passing a token, so I am not authenticated.
It happily returns all the transaction, which it shouldn't
$ curl http:https://0.0.0.0:4000/api/users/1/transactions
[
{
"id": 1,
"userId": 1,
"accountId": 1,
"pos": "Gas and Test",
"credit": 8283.81,
"time": "2013-01-12T13:52:23.826Z"
},
{
"id": 2,
"userId": 1,
"accountId": 1,
"pos": "Jasmine Tea",
"debit": 236.76,
"time": "2013-03-09T06:35:51.862Z"
},
...
The text was updated successfully, but these errors were encountered: