sails-permissions icon indicating copy to clipboard operation
sails-permissions copied to clipboard

Published 20 hours ago verified publisher icon trailsjs

Public Role Usage

Open dottodot opened this issue 10 years ago • 4 comments
trafficstars

How is the public role supposed to work? I would have assumed that this role could be used for users that are not logged in i.e anonymous users. However I have added a read permission to a model for the public role but I get error: "You are not permitted to perform this action."

dottodot avatar Mar 24 '15 12:03 dottodot

Are you able to provide any information on this. At present it's unusable if it's not possible to grant public/anonymous users access to certain things.

dottodot avatar Jun 10 '15 10:06 dottodot

OK I've realised what's happening now. The sessionAuth policy is requiring the user to be logged in so no matter what permissions are set up they must be logged in first. This can be fixed by allowing access to actions through policies.js but this seems to defeat some of the purpose of this system.

Not sure if this would work, but I've seen this method used elsewhere, is users that are not logged would be assigned to a default anonymous user account, which would have a role of public only. I believe this would then make it possible to use the public role to grant access for anon users.

I think all that would be required is to include a default anon user account along with the default admin one and then changing the sessionAuth policy so that rather returning a 403 it assigns them as the anon user.

// api/policies/sessionAuth.js
module.exports = function(req, res, next) {
  if (req.session.authenticated) {
    return next();
  } else {
    User.findOne({username: 'anon'}).then(function(user){
      req.user = user;
      return next();
    });
  }
};

Obviously I can implement this myself but as there is a default public role it probably should be included. Also I'm not 100% sure if this method will cause any undesirable issues.

dottodot avatar Jun 11 '15 11:06 dottodot

:+1:

ksylvan avatar Aug 24 '15 16:08 ksylvan

Ran into the same problem. I thought all visitors will be treated as public user. Also your workaround looks ok but it wont help in debug. As the requestlog will show all the public users as anon and it will be impossible to track down a particular request. There should be a method of creating a separate request id for each request and assign that as username with public role.

Any input from developers!

yadavji83 avatar Dec 11 '15 19:12 yadavji83