I use ACL rules to block all types of access from all users. It works for GET access, but does not work for POST access.
Any idea what could be wrong?
Here is the code and sample results:
/common/models/client.json
{
"name": "client",
"plural": "clients",
"base": "User",
"idInjection": true,
"properties": {},
"validations": [],
"relations": {},
"acls": [
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "DENY"
}
],
"methods": {}
}
GET access error (working as expected, blocked):
Curls
curl -X GET --header "Accept: application/json" "http://localserver:8080/api/quants"
REACTION
{
"error": {
"name": "Error",
"status": 401,
"message": "Authorization Required",
"statusCode": 401,
"code": "AUTHORIZATION_REQUIRED",
"stack": "Error: Authorization Required\n at ...
}
}
POST error, access is not blocked. Does not work.
CURL:
curl -X POST --header "Content-Type: application/json" --header "Accept: application/json" -d "{
\"email\": \"test@email.com\",
\"password\": \"abcd1234\"
}
" "http://localserver:8080/api/clients"
REACTION
{
"email": "test@email.com",
"id": "46b258078da5dtg1ji5809ww"
}