Closed mm-git closed 3 years ago
The OK result of the create operation by owner B, it includes owner A's owner field. It means, owner B can know owner A's id. It may be a security risk?
@mm-git -- We'll investigate in short order. Thanks for raising.
Hey @mm-git :wave: thanks for raising this! In order to filter items that are created by the owner when we execute a list operation for example, we need to add read
to the operations in our @auth
rules like so:
@auth(
rules:[
{ allow: owner, operations: [read, create, update, delete] }
]
)
if this is the case, then owners are only allowed to see what they've created, but are able to create an item using an existing custom key. Owners are not allowed to update or delete records owned by other owners, though. Given the current setup without read
noted in the allowed operations all items from all owners can be returned.
I've raised this issue to the team to take a further look at!
/cc team: I'm also seeing custom keys being added to listXXX
operations. With the schema:
type Todo
@model
@auth(rules: [{ allow: owner, operations: [read, create, update, delete] }])
@key(fields: ["customId"]) {
customId: ID!
name: String!
owner: String
}
we see the following in the built schema:
type Query {
getTodo(customId: ID!): Todo
listTodos(customId: ID, filter: ModelTodoFilterInput, limit: Int, nextToken: String, sortDirection: ModelSortDirection): ModelTodoConnection
}
however this is not the case when not using custom keys.
This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.
Looking for a help forum? We recommend joining the Amplify Community Discord server *-help
channels for those types of questions.
Before opening, please confirm:
JavaScript Framework
Vue
Amplify APIs
GraphQL API
Amplify Categories
api
Environment information
Describe the bug
I defined a model like this.
It works fine. At first Owner A create a record on a XXX table. If owner B create a record with same id, it cause error 400.
But, I defined a model with custom primary key, it doesn't work.
Even though owner B create a record with same customId created by ownerA, it will be no error. In addition, after create operation by owner B, owner value is still owner A, but _version changed to 2.
Expected behavior
Even if model have a custom primary keys, It should be prevented creating a record with same id created by other owner.
Reproduction steps