New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
@auth does not work for update mutations with owner and group combo #305
Comments
To fix, I modified the update resolver code like below. Basically I changed $isAuthorized flag to $isGroupAuthorized, removed the $util.unauthorized(), and instead only add the owner $authcondition if $isGroupAuthorized is false.
|
Great, thank you @mikeparisstuff for this and the rest of your work. :) |
This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs. Looking for a help forum? We recommend joining the Amplify Community Discord server |
Describe the bug
If a @model has @auth rules of
"allow: owner"
and"allow: groups, groups: ["Manager"], mutations: [update]"
, updates won't actually work when a user belonging to the Manager group performs an update mutation. Instead you get following dynamo error:The conditional request failed (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: ConditionalCheckFailedException
To Reproduce
Steps to reproduce the behavior:
Create model in graphql as follows:
Then as a user belonging to the Manager group try to do an update mutation, you'll get the error.
Expected behavior
If a user belongs to an authorized group for updates then owner check should be skipped.
Additional context
The reason this bug is happening is because the ownership condition is appended to the dynamodb query on updates regardless of what group the user belongs to. To fix, static group authorization code on the vtl should run first, then ownership condition should only be added if $isAuthorized is false. Actually the more I look at the resolver code, even the actual owner (who may not belong to Managers group) wont be able to update the model. $isAuthorized is set to true only if user belongs to the defined group. So it seems this scenario of combo owner and groups @auth rule was not tested and is not currently supported.
This is the start of Mutation.updateTask.request:
And this is the dynamo query:
The text was updated successfully, but these errors were encountered: