Im trying to list all the Users in my loopback 2.0 app using the REST API and I'm getting the following error:

{
  "error": {
    "name": "Error",
    "status": 401,
    "message": "Authorization Required",
    "statusCode": 401,
    "stack": "...."
  }
}

I manually added the ACL to the model-config.json file:

"User": {
    "dataSource": "db",
    "acls": [
        {
            "principalType": "ROLE",
            "principalId": "$everyone",
            "permission": "ALLOW",
            "accessType": "*"
        }
    ]
},

Since that failed, I created a model based on the User built-in model:

{
    "name": "Admin",
    "base": "User",
    "properties": {},
    "validations": [],
    "relations": {},
    "acls": [
        {
            "principalType": "ROLE",
            "principalId": "$everyone",
            "permission": "ALLOW",
            "accessType": "*"
        }
    ],
    "methods": []
}

But in the REST API I still have the same issue:

{
  "error": {
    "name": "Error",
    "status": 401,
    "message": "Authorization Required",
    "statusCode": 401,
    "stack": "....."
  }
}

I appreciate any help. =)

1. We should allow you to further configure the built-in model with additional ACLs. This is a todo for LoopBack.

2. You can subclass the built-in User model in common/user.json as you have illustrated.

   { "name": "user", "base": "User", "plural": "users" }

Then you need to expose it to REST by adding an entry to server/model-config.json, such as:

"user": {
    "dataSource": "db",
    "public": true
  },

Seems loopback ppl allso hit that issue: https://github.com/strongloop/loopback-example-access-control/issues/8