Fine-grained access control does not work for Mutation :: Delete
Closed this issue · 1 comments
StephanDecker commented
We can't implement access control for Mutation :: Delete following this guide here: see https://prisma-appsync.vercel.app/advanced/securing-api.html#%F0%9F%91%89-fine-grained-access-control.
I get the following queryParams:
operation: 'deleteCar',
context: { action: 'delete', alias: 'modify', model: 'car' },
fields: [ 'name' ],
....
....
paths: [ '/get/car/name' ],
headers: {}
I think the reason is that the canAccess
variable is true
by default and the path array only contains the getPath so that we can't apply the delete shielding rules, see.
https://github.com/maoosi/prisma-appsync/blob/main/packages/client/src/guard.ts#L118
I solved it by checking the operation prop of queryParams
if (params.operation.startsWith('delete')) {
return {
'**': {
rule: doMyCheck(params.operation),
reason: ({ model }: Context) => `${model} cannot be deleted by ${roles?.join()}`,
},
};
}