How do you prevent updates to the ownerField of an AWS Amplify GraphQL API?

1
votes

I created a GraphQL API using AWS' Amplify. In the schema, I have a Comment model that looks like this:

type Comment
  @auth(rules: [{ allow: owner }, { allow: private, operations: [read] }, { allow: public, operations: [read] }])
  @model
  @key(name: "byAuthor", fields: ["authorID"])
  @key(name: "byPost", fields: ["postID"]) {
  content: String!
  createdAt: AWSDateTime!
  id: ID!
  owner: String
  postID: ID!
  updatedAt: AWSDateTime!
}

This gives the owner permission to create, read, update, and delete, and restricts unauthenticated/authenticated-non-owner users to read-only. This works as expected; however, the owner can update the ownerField's value, essentially attributing the comment to another user...which is a no-no. To prevent this, I tried using field-level permissions (see below); however, that doesn't appear to be stopping the update.

...
owner: String @auth(rules: [{ allow: owner, operations: [ create ]}])
...

Is there something I'm missing? Any help is much appreciated--thank you!

1
amazon-web-servicesgraphqlamplifyjsamplifyaws-amplify-sdk-js
I've tried setting the top-level auth rules to only allow create, read, and delete operations for the owner and changing the field-level auth on the content field to update to see if the inverse would work, and I'm still able to update the owner field.robbymarston

1 Answers

3
votes

You're very close. Using a field-level @auth directive, you want to explicitly grant the owner the ability to create and read and explicitly deny the world the ability to update and delete. It might look something like:

type Todo
    @model
    @auth(rules: [{ allow: owner, ownerField: "author" }]) {
    id: ID!
    name: String!
    author: String
        @auth(
            rules: [
                { allow: groups, groups: ["FORBIDDEN"], operations: [update, delete] }
                { allow: owner, ownerField: "author", operations: [create, read] }
            ]
        )
}

Here, the "FORBIDDEN" group is a non-existent group. Its name can be anything so long as you do not plan to actually create a group by that name in the future. Because no user will ever have the "FORBIDDEN" group claim, any/all update or delete operations on the field will fail.