Closed ErnestDaDev closed 1 year ago
So i fugured out, the unathourized on owner was referring to the owner field on the schema - owner: String @auth(rules: [{ allow: owner, operations: [create, read] }])
so after i changed it to owner: String @auth(rules: [{ allow: owner, operations: [create, read, update, delete] }])
it works now. So the question actually is how do i get the owner to update or delete a record without touching the owner field, initially i knew AWS Amplify did not allow us to touch the field if not explicitly stated in the @auth
In the docs, it says To prevent an owner from reassigning their record to another user, protect the owner field (by default owner: String) with a field-level authorization rule. For example, in a social media app, you would want to prevent Alice from being able to reassign Alice's Post to Bob.
type Todo @model @auth(rules: [{ allow: owner }]) { id: ID! description: String owner: String @auth(rules: [{ allow: owner, operations: [read, delete] }]) }
So the question actually is how do i get the owner to update or delete a record without touching the owner field on server side?
I have the same problem after fulfilling the Amplify CLI recommendations:
⚠️ WARNING: owners may reassign ownership for the following model(s) and role(s): Place: [owner], RepoTimeRange: [owner]. If this is not intentional, you may want to apply field-level authorization rules to these fields. To read more: https://docs.amplify.aws/cli/graphql/authorization-rules/#per-user--owner-based-data-access.
amplify cli version 10.3.0
amplify_datastore: ^0.6.9 amplify_flutter: ^0.6.9
Hi @ErnestDaDev @mlaube field level auth is not applicable to DataStore.
For your example use case @ErnestDaDev when you use owner auth, by default, you don't need to list the owner
field in the model, unless you wanted to override this field. By default, the default owner field is not explicit in the generated model, where when you update the model, you are not able to reassign the owner field.
e.g. take model
type TestAuth @model @auth(rules: [{allow: owner}]) {
id: ID!
content: String
}
Generated model fields
@immutable
class TestAuth extends Model {
static const classType = const _TestAuthModelType();
final String id;
final String? _content;
final TemporalDateTime? _createdAt;
final TemporalDateTime? _updatedAt;
...
}
Please let me know if this helps or you have other questions regarding this use case.
@ErnestDaDev @mlaube - Please let us know if the info above does not answer the question, or if you have other questions. Thanks.
@Jordan-Nelson yes this answers it so the error in the console applies to API directly, that is using GRAPHQL mutation?
What console are you referring to @ErnestDaDev ? AppSync console? Or your IDE debugger? When you see the error are you using DataStore? Or the API plugin individually?
In general, field level auth has not been formally supported in Amplify libraries including both API and DataStore plugins.
@ErnestDaDev @mlaube - Please let us know if the info above does not answer the question, or if you have other questions. Thanks.
After removing owner field from the model, Amplify CLI still warning:
⚠️ WARNING: owners may reassign ownership for the following model(s) and role(s): RepoPlace: [owner], RepoZone: [owner], RepoTimeRange: [owner]. If this is not intentional, you may want to apply field-level authorization rules to these fields. To read more: https://docs.amplify.aws/cli/graphql/authorization-rules/#per-user--owner-based-data-access.
amplify cli version 10.5.1
amplify_datastore: ^0.6.10 amplify_flutter: ^0.6.10
Hi @mlaube you can safely ignore this warning when with DataStore use cases.
OK thanks
Description
In my schema i have @auth with owner with full operations - CRUD, in the app, syncing is done perfectly, it can create and read but it immediately says unauthorized when i attempt to both update or delete the record when it tries to sync, it gets deleted locally but it never makes it to the cloud. I tried with the API directly as you can see in the screenshot and it gives the error unauthorized. Am i doing something wrong somewhere? It just seems strange that i can create and read but explicitly prevents deletion and updating even when i have the permissions. Its been 5 days now of trying still no solution. As you can see attached when i print out the -acm, it confirms owner can perform CRUD. @HuiSF What do you think might be the issue here? Thanks in advance.
Here is the schema.
Categories
Steps to Reproduce
No response
Screenshots
Platforms
Android Device/Emulator API Level
API 24, API 32+
Environment
Dependencies
Device
NA
OS
Android 10
Deployment Method
Amplify CLI
CLI Version
10.2.2
Additional Context
No response
Amplify Config
{ "UserAgent": "aws-amplify-cli/2.0", "Version": "1.0", "api": { "plugins": { "awsAPIPlugin": { "app": { "endpointType": "GraphQL", "endpoint": "hidden", "region": "eu-west-2", "authorizationType": "AMAZON_COGNITO_USER_POOLS", "apiKey": hiddeni" } } } }, "auth": { "plugins": { "awsCognitoAuthPlugin": { "UserAgent": "aws-amplify-cli/0.1.0", "Version": "0.1.0", "IdentityManager": { "Default": {} }, "CredentialsProvider": { "CognitoIdentity": { "Default": { "PoolId": "hidden", "Region": "eu-west-2" } } }, "CognitoUserPool": { "Default": { "PoolId": "hidden", "AppClientId": "hidden", "Region": "eu-west-2" } }, "Auth": { "Default": { "authenticationFlowType": "USER_SRP_AUTH", "socialProviders": [], "usernameAttributes": [ "PHONE_NUMBER" ], "signupAttributes": [ "EMAIL" ], "passwordProtectionSettings": { "passwordPolicyMinLength": 8, "passwordPolicyCharacters": [] }, "mfaConfiguration": "OFF", "mfaTypes": [ "SMS" ], "verificationMechanisms": [ "PHONE_NUMBER" ] } }, "AppSync": { "Default": { "ApiUrl": "hidden", "Region": "eu-west-2", "AuthMode": "AMAZON_COGNITO_USER_POOLS", "ClientDatabasePrefix": "app_AMAZON_COGNITO_USER_POOLS" }, "app_API_KEY": { "ApiUrl": "hidden", "Region": "eu-west-2", "AuthMode": "API_KEY", "ApiKey": "hidden", "ClientDatabasePrefix": "app_API_KEY" }, "app_AWS_IAM": { "ApiUrl": "hidden", "Region": "eu-west-2", "AuthMode": "AWS_IAM", "ClientDatabasePrefix": "app_AWS_IAM" } } } } } }