New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
@auth Directive to allow owner AND group #761
Comments
Hey @cocacrave thanks for the question. Joining auth rules with "AND" is not yet supported but we plan on supporting this in the future. This feature is discussed in aws-amplify/amplify-category-api#449. |
@mikeparisstuff Thank you! I'll follow the discussion there. |
How do you allow read/write for owner and read only for every other authenticated user? |
@mikeparisstuff any answer for @rawadrifai's question? Consider a common use case, where there are private and public user profiles. The owner of the profile should have full access where the other authenticated users should be able to read a subset of user fields. Ideally there should be something like,
|
@babus the way I have solved this is by adding users to a group in a Cognito trigger, perhaps post confirmation trigger would be best. You either add them to a cognito group or maintain that in your database. If you decide to maintain it in your database instead of Cognito (which is what I did since I need a lot of groups more than Cognito's limits), then you have to use the pre token generation trigger as well, in order to override the claims for the user. So short answer is, add every user to a group that has every user in it. And give read permissions for that group. |
@rawadrifai Would you mind sharing the @auth rules? I have added |
This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs. Looking for a help forum? We recommend joining the Amplify Community Discord server |
** Which Category is your question related to? **
GraphQL Transform
** What AWS Services are you utilizing? **
AWS AppSync
** Provide additional details e.g. code snippets **
I read the GraphQL Transform doc but I must have missed something. How do I use the
@auth
directive to allow only the owner who is also in a group Member? So the owner can do all the queries and mutations but must belong to Member group. To put it in another way, If you belong to Member group but you are not the owner, you are not authorized to query or mutate.The way I wrote above, I believe, grants owner OR Member group all the rights to every Project? So anyone that belongs to Member group can, for example, delete a Project that doesn't belong to that person?
Thanks 👍
The text was updated successfully, but these errors were encountered: