search

aws-amplify / amplify-category-api

The AWS Amplify CLI is a toolchain for simplifying serverless web and mobile development. This plugin provides functionality for the API category, allowing for the creation and management of GraphQL and REST based backends for your amplify project.
https://docs.amplify.aws/
Apache License 2.0
87 stars 73 forks source link

GraphQL Schema Transform Minor Bug in Resolver Logic #327

Open xitanggg opened 4 years ago

xitanggg commented 4 years ago

Describe the bug I create a schema for account, which stores userId, fullName, email.

At the account level, I gives

At the userId field, I gives 

type account
    @model(subscriptions: null)
    @key(fields: ["userId"])
    @auth(
        rules: [
            {
                allow: groups
                groups: ["Admins"]
                operations: [create, read, update, delete]
            }
            {
                allow: private
                provider: iam
                operations: [create, read, update, delete]
            }
            { allow: owner, ownerField: "userId", operations: [read, update] }
        ]
    ) {
    userId: String!
        @auth(
            rules: [
                { allow: owner, ownerField: "userId", operations: [read] }
            ]
        )
    fullName: String
    email: String
}

Expected behavior I expect Cognito Admins Group and AWS iam service have full CRUD permission in user accounts.

Actual behavior AWS iam service has full CRUD permission in user accounts, but Cognito Admins Group don't. Cognito Admins Group isn't able to read userId on a listAccounts query.

To enable it, I have to re-specify Cognito Admin Group permission at userId.

userId: String!
        @auth(
            rules: [
                {
                    allow: groups
                    groups: ["Admins"]
                    operations: [create, read, update, delete]
                }
                { allow: owner, ownerField: "userId", operations: [read] }
            ]
        )

I suspect this to be a minor bug in the resolver logic.

SwaySway commented 4 years ago

Hello @xitanggg currently if you introduce a field rule it will override the object rule. To ensure that the owner can also read userId you would need to add that rule in the field as well. This is a part of some optimizations we are considering for @auth.

xitanggg commented 4 years ago

Thanks for your response. @SwaySway So with my example, I expect the field rule userId of the owner to only override the object rule of the owner, but it seems to remove the object rule of the groups as well.