@auth Directive to allow owner AND group

[cocacrave]

** Which Category is your question related to? **
GraphQL Transform

** What AWS Services are you utilizing? **
AWS AppSync

** Provide additional details e.g. code snippets **
I read the GraphQL Transform doc but I must have missed something. How do I use the @auth directive to allow only the owner who is also in a group Member? So the owner can do all the queries and mutations but must belong to Member group. To put it in another way, If you belong to Member group but you are not the owner, you are not authorized to query or mutate.

type Project @model @auth(rules: [
    { allow: owner },
    { allow: groups group: ["X"] }
]) { ... }

The way I wrote above, I believe, grants owner OR Member group all the rights to every Project? So anyone that belongs to Member group can, for example, delete a Project that doesn't belong to that person?

Thanks 👍

[mikeparisstuff]

Hey @cocacrave thanks for the question. Joining auth rules with "AND" is not yet supported but we plan on supporting this in the future. This feature is discussed in aws-amplify/amplify-category-api#449.

[cocacrave]

@mikeparisstuff Thank you! I'll follow the discussion there.

[rawadrifai]

How do you allow read/write for owner and read only for every other authenticated user?

[ghost]

@mikeparisstuff any answer for @rawadrifai's question? Consider a common use case, where there are private and public user profiles. The owner of the profile should have full access where the other authenticated users should be able to read a subset of user fields. Ideally there should be something like,

@auth(rules: [
        { allow: owner},
        { allow: everyone, operations: [read], fields: []}
])

[rawadrifai]

@babus the way I have solved this is by adding users to a group in a Cognito trigger, perhaps post confirmation trigger would be best. You either add them to a cognito group or maintain that in your database. If you decide to maintain it in your database instead of Cognito (which is what I did since I need a lot of groups more than Cognito's limits), then you have to use the pre token generation trigger as well, in order to override the claims for the user.

So short answer is, add every user to a group that has every user in it. And give read permissions for that group.

[ghost]

@rawadrifai Would you mind sharing the @auth rules? I have added @auth(rules: [{ allow: groups, groups: ["everyone"], operations: [read] }]) at field level because if I add it at model level it is not letting the owner to create the document but instead consider him belonging to "everyone" group and returns Unauthorized.

[github-actions]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels for those types of questions.