search

maoosi / prisma-appsync

⚡ Turns your ◭ Prisma Schema into a fully-featured GraphQL API, tailored for AWS AppSync.
https://prisma-appsync.vercel.app
BSD 2-Clause "Simplified" License
226 stars 18 forks source link

Fine-grained access control does not work for Mutation :: Delete #119

Closed StephanDecker closed 1 year ago

StephanDecker commented 1 year ago

We can't implement access control for Mutation :: Delete following this guide here: see https://prisma-appsync.vercel.app/advanced/securing-api.html#%F0%9F%91%89-fine-grained-access-control.

I get the following queryParams:

      operation: 'deleteCar',
      context: { action: 'delete', alias: 'modify', model: 'car' },
      fields: [ 'name' ],
....
....
      paths: [ '/get/car/name' ],
      headers: {}

I think the reason is that the canAccess variable is true by default and the path array only contains the getPath so that we can't apply the delete shielding rules, see. https://github.com/maoosi/prisma-appsync/blob/main/packages/client/src/guard.ts#L118 I solved it by checking the operation prop of queryParams

    if (params.operation.startsWith('delete')) {
        return {
            '**': {
                rule: doMyCheck(params.operation),
                reason: ({ model }: Context) => `${model} cannot be deleted by ${roles?.join()}`,
            },
        };
    }
maoosi commented 1 year ago

Let's track this issue in https://github.com/maoosi/prisma-appsync/issues/125