Fine-grained access control does not work for Query :: Count
StephanDecker opened this issue · 2 comments
We can't implement access control for Query :: Count, see https://prisma-appsync.vercel.app/advanced/securing-api.html#%F0%9F%91%89-fine-grained-access-control. It's a readonly query but using the where filter option you can search for sensitive data.
I think the reason is that the canAccess
variable is true
by default and the path array is empty so that we can't apply the shielding rules, see.
https://github.com/maoosi/prisma-appsync/blob/main/packages/client/src/guard.ts#L118
Even return { '**': { rule: false, reason: () => 'You do not have any valid role', }, };
does not work because the path is empty.
It's not urgent (only read-only) just to let you know.
Thanks @StephanDecker! Added to the roadmap.