Fine-grained access control does not work for Query :: Count

Question

StephanDecker opened this issue a year ago · 2 comments

We can't implement access control for Query :: Count, see https://prisma-appsync.vercel.app/advanced/securing-api.html#%F0%9F%91%89-fine-grained-access-control. It's a readonly query but using the where filter option you can search for sensitive data.
I think the reason is that the canAccess variable is true by default and the path array is empty so that we can't apply the shielding rules, see.
https://github.com/maoosi/prisma-appsync/blob/main/packages/client/src/guard.ts#L118
Even return { '**': { rule: false, reason: () => 'You do not have any valid role', }, }; does not work because the path is empty.
It's not urgent (only read-only) just to let you know.

Answer 1 · 2023-02-25T02:07:58.000Z

Thanks @StephanDecker! Added to the roadmap.

Answer 2 · 2023-03-15T04:13:14.000Z

Let's track this issue in #125