Atharva
Atharva

Reputation: 6969

How to prevent owner from deleting the record created in Graphql on AWS?

The current authorisation model only allows to specify what actions we permit the owner to perform. Is there a way to specify somehow the actions that we don't allow even the owner of that record to be able to perform once it's created.

Upvotes: 2

Views: 345

Answers (2)

RichardB
RichardB

Reputation: 31

I was wondering the same. As Will says you can omit the operation you wish to forbid for the owners, however if the operation is not listed anywhere then all authenticated users gain access to it I think? If I understand this correct then I one solution might be creating a group 'Forbidden' and assigning that group the delete operation which should prevent owners, and all authenticated users from using the delete operation..

@auth(rules: [
  { allow: owner, operations: [create, update, read] },
  { allow: groups, groups: ["Forbidden"], operations: [delete] }
])

Upvotes: 2

Will Madden
Will Madden

Reputation: 6965

You can omit the operation you want to forbid, e.g. to forbid deleting:

@auth(rules: [{ allow: owner, operations: [create, read, update] }]) { ... }

Upvotes: -1

Related Questions