search

maoosi / prisma-appsync

⚡ Turns your ◭ Prisma Schema into a fully-featured GraphQL API, tailored for AWS AppSync.
https://prisma-appsync.vercel.app
BSD 2-Clause "Simplified" License
226 stars 18 forks source link

Fine-grained access control does not work for nested create/connectOrCreate fields #120

Closed StephanDecker closed 1 year ago

StephanDecker commented 1 year ago

Let's say we have the following object:

{
   "car":{
      "name":"Audi",
      "color":{
         "create":{
            "name":"yellow"
         }
      },
      "type":{
         "connect":{
            "name":"SUV"
         }
      }
   }

We do want to allow to connect to existing record (type) but we don't want to allow to create a new record (color). Currently that's not possible because there is no difference in the paths array:

paths: ['/create/car/color/name', '/create/car/type/name'....]

Another problem with the path object is that type (allowed) overwrites the falsy canAccess variable of color by iterating first through the path array and then through the shield object, see: https://github.com/maoosi/prisma-appsync/blob/main/packages/client/src/guard.ts#L118-L121

I solved both issues by iterating through the params.args.data object where you can filter by ['create', 'connectOrCreate']

PS: Thanks again for your great lib!

cjjenkinson commented 1 year ago

@maoosi Similar to an issue I created recently. Being able to omit certain operation paths from the data field in Mutation inputs.

maoosi commented 1 year ago

Let's track this issue in https://github.com/maoosi/prisma-appsync/issues/125