Reputation: 6969
The current authorisation model only allows to specify what actions we permit the owner to perform. Is there a way to specify somehow the actions that we don't allow even the owner of that record to be able to perform once it's created.
Upvotes: 2
Views: 345
Reputation: 31
I was wondering the same. As Will says you can omit the operation you wish to forbid for the owners, however if the operation is not listed anywhere then all authenticated users gain access to it I think? If I understand this correct then I one solution might be creating a group 'Forbidden' and assigning that group the delete operation which should prevent owners, and all authenticated users from using the delete operation..
@auth(rules: [
{ allow: owner, operations: [create, update, read] },
{ allow: groups, groups: ["Forbidden"], operations: [delete] }
])
Upvotes: 2
Reputation: 6965
You can omit the operation you want to forbid, e.g. to forbid deleting:
@auth(rules: [{ allow: owner, operations: [create, read, update] }]) { ... }
Upvotes: -1