角色为 "Admin" 的用户无法获取 public 条记录

User with Role "Admin" cannot fetch public records

我有一个 class Room 具有 class 级别的 ACL public read/write。然后每个记录都有一个记录级别的 ACL <owner-user-id> r/w 和 role:Admin r/w。

碰巧角色为 admin 的用户只能读取房间的 "some",即使他们都具有相同的 ACL(仅用户 ID 更改)并且他无法读取 "public records"。

奇怪的事实:如果我在没有任何 sessionToken 的情况下查询 Room class,我会看到 public 记录,但是如果我使用 role:Admin 用户的会话令牌,我看不到他们。

我在 REST API 和 Javascript 客户端 API 中遇到了同样的问题。

这怎么可能?我缺少一些配置?

这里是 "role:Admin users" cannot 阅读的房间示例(来自 mongodb):

{
    "_id" : "MZoIBY3zuo",
    "xxx" : [],
    "_p_home" : "Home$xxxxx",
    "roomName" : "xxxxx",
    "area" : null,
    "height" : x,
    "windows" : x,
    "tempMin" : x,
    "tempMax" : x,
    "_wperm" : [
        "CpcI4SOzE4",
        "role:Admin",
        "*"
    ],
    "_rperm" : [
        "CpcI4SOzE4",
        "role:Admin",
        "*"
    ],
    "_acl" : {
        "CpcI4SOzE4" : {
            "w" : true,
            "r" : true
        },
        "role:Admin" : {
            "w" : true,
            "r" : true
        },
        "*" : {
            "w" : true,
            "r" : true
        }
    },
    "_created_at" : ISODate("2018-10-31T14:02:32.791Z"),
    "_updated_at" : ISODate("2018-11-04T11:23:19.683Z")
}
{
    "_id" : "BziFbnP1Ny",
    "xxx" : [],
    "_p_home" : "Home$pbqrrk1JVo",
    "roomName" : "xxx2",
    "area" : null,
    "height" : 3,
    "windows" : 2,
    "tempMin" : 20,
    "tempMax" : 23,
    "_wperm" : [
        "CpcI4SOzE4",
        "role:Admin"
    ],
    "_rperm" : [
        "CpcI4SOzE4",
        "role:Admin"
    ],
    "_acl" : {
        "CpcI4SOzE4" : {
            "w" : true,
            "r" : true
        },
        "role:Admin" : {
            "w" : true,
            "r" : true
        }
    },
    "_created_at" : ISODate("2018-10-31T14:02:00.180Z"),
    "_updated_at" : ISODate("2018-11-01T01:08:53.643Z")
}

这里 Room "role:Admin users" can 读作:

{
    "_id" : "pCzvLPWbYD",
    "_p_home" : "Home$sYX5pMvUfe",
    "roomName" : "xxx3",
    "area" : null,
    "height" : 3,
    "windows" : 4,
    "tempMin" : 21,
    "tempMax" : 23,
    "_wperm" : [
        "TgNwD80kcR",
        "role:Admin"
    ],
    "_rperm" : [
        "TgNwD80kcR",
        "role:Admin"
    ],
    "_acl" : {
        "TgNwD80kcR" : {
            "w" : true,
            "r" : true
        },
        "role:Admin" : {
            "w" : true,
            "r" : true
        }
    },
    "_created_at" : ISODate("2018-10-12T15:09:55.244Z"),
    "_updated_at" : ISODate("2018-11-04T10:43:57.607Z"),
    "xxx" : [],
    "xxxx" : {}
}

角色

> db.getCollection('_Role').find()
{ "_id" : "Y0Y3xg3Tij", "_rperm" : [ "role:Redactor" ], "_wperm" : [ ], "_acl" : { "role:Redactor" : { "r" : true } }, "name" : "Redactor", "_updated_at" : ISODate("2017-12-01T09:05:59.306Z"), "_created_at" : ISODate("2016-10-17T16:07:27.186Z") }
{ "_id" : "CGuF9CgXjs", "name" : "Admin", "_wperm" : [ ], "_rperm" : [ "role:Admin" ], "_acl" : { "role:Admin" : { "r" : true } }, "_created_at" : ISODate("2017-12-01T09:05:07.986Z"), "_updated_at" : ISODate("2017-12-01T09:07:25.473Z") }

链接到角色的用户:

> db.getCollection('_Join:users:_Role').find()
{ "_id" : ObjectId("5a211bcdbd15be8e7457a263"), "owningId" : "CGuF9CgXjs", "relatedId" : "yHhVd7yybE" }
{ "_id" : ObjectId("5a211bcdbd15be8e7457a264"), "owningId" : "CGuF9CgXjs", "relatedId" : "OAhrAzI7HV" }

管理员用户:

> db.getCollection('_User').find({username: 'XXX'})
{ "_id" : "yHhVd7yybE", "utcTime" : ISODate("2017-09-16T09:45:23.225Z"), "username" : "XXX", "email" : "xxxx", "_hashed_password" : "xxxxxxx", "_wperm" : [ "yHhVd7yybE" ], "_rperm" : [ "*", "yHhVd7yybE" ], "_acl" : { "yHhVd7yybE" : { "w" : true, "r" : true }, "*" : { "r" : true } }, "_created_at" : ISODate("2017-09-16T09:41:16.941Z"), "_updated_at" : ISODate("2018-09-28T21:41:31.740Z"), "_p_linkedHome" : "Home$R0H3ObzmMC", "location" : "Zurich" }

房间架构:

{
    "_id" : "Room",
    "objectId" : "string",
    "updatedAt" : "string",
    "createdAt" : "string",
    "roomName" : "string",
    "tempMin" : "number",
    "tempMax" : "number",
    "area" : "number",
    "height" : "number",
    "windows" : "number",
    "home" : "*Home",
    "data" : "array",
    "xxxxx" : "array",
    "xxx" : "array",
    "_metadata" : {
        "class_permissions" : {
            "get" : {
                "*" : true,
                "role:Admin" : true
            },
            "find" : {
                "*" : true,
                "role:Admin" : true
            },
            "create" : {
                "*" : true,
                "role:Admin" : true
            },
            "update" : {
                "*" : true,
                "role:Admin" : true
            },
            "delete" : {
                "*" : true,
                "role:Admin" : true
            },
            "addField" : {
                "*" : true,
                "role:Admin" : true
            }
        },
        "indexes" : {
            "_id_" : {
                "_id" : 1
            }
        }
    },
    "xxxx" : "object"
}

天啊,我发现问题了。实际上,我没有在客户端和 REST API 上正确设置查询的 limit,因此它返回了 100 个最近的房间,而 public 房间当然是最后创建的。非常愚蠢的错误:(