How to set up the ACL to allow everyone list all the Users from the REST API

Question

Im trying to list all the Users in my loopback 2.0 app using the REST API and I'm getting the following error:

{
  "error": {
    "name": "Error",
    "status": 401,
    "message": "Authorization Required",
    "statusCode": 401,
    "stack": "...."
  }
}

I manually added the ACL to the model-config.json file:

"User": {
    "dataSource": "db",
    "acls": [
        {
            "principalType": "ROLE",
            "principalId": "$everyone",
            "permission": "ALLOW",
            "accessType": "*"
        }
    ]
},

Since that failed, I created a model based on the User built-in model:

{
    "name": "Admin",
    "base": "User",
    "properties": {},
    "validations": [],
    "relations": {},
    "acls": [
        {
            "principalType": "ROLE",
            "principalId": "$everyone",
            "permission": "ALLOW",
            "accessType": "*"
        }
    ],
    "methods": []
}

But in the REST API I still have the same issue:

{
  "error": {
    "name": "Error",
    "status": 401,
    "message": "Authorization Required",
    "statusCode": 401,
    "stack": "....."
  }
}

I appreciate any help. =)

Answer 1

1. We should allow you to further configure the built-in model with additional ACLs. This is a todo for LoopBack.

2. You can subclass the built-in User model in common/user.json as you have illustrated.

   { "name": "user", "base": "User", "plural": "users" }

Then you need to expose it to REST by adding an entry to server/model-config.json, such as:

"user": {
    "dataSource": "db",
    "public": true
  },