Unable to restrict admin permission on login to loopback using admin on rest

Question

I am creating a web application, in which I use REST for user interface and for REST API I use using Loopback. My user, acl, rollmapping, role table are in mySQL. In my project i am able control access permission when i am trying with loopback UI(after login and setting the access token). But when I am trying with admin on rest UI I am able to login but not able to control the access, in admin on rest I have give all the url and everything in authClient.jsx. My authClient.jsx file:

const request = new Request('http://localhost:3004/api/Users/login', {
    method: 'POST',
    body: JSON.stringify({ email, password }),
    headers: new Headers({ 'Content-Type': 'application/json' })
});

Can anybody help me fix this issue?

Answer 1

You need to use AOR Permissions

https://github.com/marmelab/aor-permissions

This will handle all authentication and role based access.

On the API side you will need to create a custom Login Method that will also return the user role in the request.

something like below

    User.customLogin = (credentials, cb) => {
        User.login(credentials, 'User', function(err, token) {
            if (err) {
                console.error(err)
                return cb(err)
            }
            app.models.RoleMapping.findOne({where: {principalId: token.userId}, include: {relation: 'role'}}, function(err, rolemap) {
                if (err) {
                    console.error(err)
                    return cb(err)
                }
                token.role = rolemap.role().name
                return cb(null, token)
            })
        })
    }

Save the user role in localStorage on login and then you can use AOR permissions to show role based views to every user.

EDIT: According to AOR star contributor @gildas below. AOR Permissions is going to be deprecated and all features moved to AOR Core. So please check your versions of AOR and decide accordingly.