Reputation: 6969
How to prevent owner from deleting the record created in Graphql on AWS?
The current authorisation model only allows to specify what actions we permit the owner to perform. Is there a way to specify somehow the actions that we don't allow even the owner of that record to be able to perform once it's created.
Upvotes: 2
Views: 345
Answers (2)
Reputation: 31
I was wondering the same. As Will says you can omit the operation you wish to forbid for the owners, however if the operation is not listed anywhere then all authenticated users gain access to it I think? If I understand this correct then I one solution might be creating a group 'Forbidden' and assigning that group the delete operation which should prevent owners, and all authenticated users from using the delete operation..
@auth(rules: [
{ allow: owner, operations: [create, update, read] },
{ allow: groups, groups: ["Forbidden"], operations: [delete] }
])
Upvotes: 2
Reputation: 6965
You can omit the operation you want to forbid, e.g. to forbid deleting:
@auth(rules: [{ allow: owner, operations: [create, read, update] }]) { ... }
Upvotes: -1
Related Questions
- AWS amplify graphql appsync - do not return deleted items?
- How to give separate permissions to GraphQL queries in AWS Amplify
- AWS Amplify GraphQL - allow owner to create, but only if he belongs to a certain group
- Error when trying to delete in AWS AppSync
- How to limit AppSync queries for users?
- How do you prevent updates to the ownerField of an AWS Amplify GraphQL API?
- Appsync Update and Delete mutation not working
- GraphQL update and delete mutations not working
- GraphQL: How to prevent nesting attack to gain access to unauthorized data?
- How to check permissions of an entity on create in appsync