MLab and Loopback ACL - Has many (POST)

Question

I'm pretty new to node.js/mlab and I'm trying to figure out my ACLs.

I have two models, Songs and Accounts.

I've created a has many relationship between Accounts and Songs where an account has many Songs called favorites.

"relations": {
   "favorites": {
     "type": "hasMany",
     "model": "Song",
     "foreignKey": ""
   }
 }

The way I want my ACL set up is that only the administrator can create new songs, but anyone who is authenticated can add Songs to their favorites.

I have an endpoint (id = userId and it also takes a token):

/Accounts/{id}/favorites

The problem is, whenever I try to POST to this endpoint I get:

http://0.0.0.0:3000/api/Accounts/584e6ed148d44a6c1e53c1a3/favorites 401 (Unauthorized)

For Songs, the current ACLs are:

  "acls": [
    {
      "accessType": "*",
      "principalType": "ROLE",
      "principalId": "administrator",
      "permission": "ALLOW"
    },
    {
      "accessType": "*",
      "principalType": "ROLE",
      "principalId": "$everyone",
      "permission": "DENY"
    },
    {
      "accessType": "READ",
      "principalType": "ROLE",
      "principalId": "$everyone",
      "permission": "ALLOW"
    }]

For Accounts, the current ACLs are:

"acls": [
    {
      "accessType": "EXECUTE",
      "principalType": "ROLE",
      "principalId": "$authenticated",
      "permission": "ALLOW",
      "property": "POST"
    }
  ]

I've traced it:

  loopback:security:role isInRole(): $everyone +0ms
  loopback:security:access-context ---AccessContext--- +2ms
  loopback:security:access-context principals: +1ms
  loopback:security:access-context principal: {"type":"USER","id":"584e6ed148d44a6c1e53c1a3"} +0ms
  loopback:security:access-context modelName Account +1ms
  loopback:security:access-context modelId 584e6ed148d44a6c1e53c1a3 +0ms
  loopback:security:access-context property __create__favorites +0ms
  loopback:security:access-context method __create__favorites +0ms
  loopback:security:access-context accessType WRITE +0ms
  loopback:security:access-context accessToken: +0ms
  loopback:security:access-context   id "QD2gi3uUr7g07EN7NhCbeSeyKT4AEZGWUoQQB9V0siFzgBOiPM1WOAkLhvxHCQGq" +0ms
  loopback:security:access-context   ttl 1209600 +0ms
  loopback:security:access-context getUserId() 584e6ed148d44a6c1e53c1a3 +0ms
  loopback:security:access-context isAuthenticated() true +0ms
  loopback:security:role Custom resolver found for role $everyone +0ms
  loopback:security:acl The following ACLs were searched:  +1ms
  loopback:security:acl ---ACL--- +1ms
  loopback:security:acl model Account +0ms
  loopback:security:acl property * +0ms
  loopback:security:acl principalType ROLE +0ms
  loopback:security:acl principalId $everyone +0ms
  loopback:security:acl accessType * +0ms
  loopback:security:acl permission DENY +0ms
  loopback:security:acl with score: +0ms 7495
  loopback:security:acl ---Resolved--- +0ms
  loopback:security:access-context ---AccessRequest--- +0ms
  loopback:security:access-context  model Account +0ms
  loopback:security:access-context  property __create__favorites +0ms
  loopback:security:access-context  accessType WRITE +0ms
  loopback:security:access-context  permission DENY +1ms
  loopback:security:access-context  isWildcard() false +0ms
  loopback:security:access-context  isAllowed() false +0ms

Thank you!

Answer 1

Got it! Had to set access for specific property because default is deny access.

{
      "accessType": "EXECUTE",
      "principalType": "ROLE",
      "principalId": "$owner",
      "permission": "ALLOW",
      "property": "__create__favorites"
    },
    {
      "accessType": "EXECUTE",
      "principalType": "ROLE",
      "principalId": "$owner",
      "permission": "ALLOW",
      "property": "__get__favorites"
    }