CODEWITHSUNDEEP
graphqlamazon-cognitoaws-amplifyaws-appsyncaws-amplify-cli
smythluke
smythluke

Reputation: 201

How are multiple @auth directives handled on an AWS AppSync GraphQL Schema?

I'm trying to create a single model with a few attributes:

type Guest @model {
    id: ID!
    name: String
    dayGuest: Boolean
    attending: Boolean
    dietryRequirements: String
    owner: String
}

I'd like to adjust how different users can access the data within this model:

  1. Users that are assigned to the 'admins' group within cognito should be able to create, read, update and delete all the fields within a record.

  2. The owner of the record should be able to read every field and update the attending and dietryRequirements fields.

  3. Any user with a valid JWT should be able to update the owner field.

To achieve this I have implemented the following @auth directives:

  1. @auth(rules: [{allow: groups, groups: ["admins"]}]) on the Guest model
  2. @auth(rules: [{allow: owner, ownerField: "owner", operations:[read]}]) on the Guest model and @auth(rules: [{allow: owner, ownerField: "owner", operations: [update]}]) on the attending and dietryRequirements fields.
  3. @auth(rules: [{allow: private, operations: [update]}]) on the owner field.

The final model looks like this:

type Guest @model @auth(rules: [{allow: groups, groups: ["admins"]}, {allow: owner, ownerField: "owner", operations:[read]}]){
    id: ID!
    name: String
    dayGuest: Boolean
    attending: Boolean @auth(rules: [{allow: owner, ownerField: "owner", operations: [update]}])
    dietryRequirements: String @auth(rules: [{allow: owner, ownerField: "owner", operations: [update]}])
    owner: String @auth(rules: [{allow: private, operations: [update]}])
}

This doesn't seem to work and I can't work out why. The admin user can view everything and create new objects. A validated user (not owner) cannot update the owner field as this returns an unauthorised error. An owner can view all the records regardless of them being the owner of each specific record or not.

How can I achieve what I want?

Upvotes: 2

Views: 884

Answers (1)

Isaac I9
Isaac I9

Reputation: 169

When you do a field level auth, you are actually setting the new auth rule for that field. Preventing admin from updating 'attending' & 'dietaryRequirements'.

You must include auth rule for admin in this field as well. For example:

attending: Boolean 
@auth(rules: [
  {allow: owner, ownerField: "owner", operations: [read, update]}
  {allow: groups, groups: ["admins"]} 
])

Documentation

Upvotes: 0

Related Questions