maoosi/prisma-appsync

Fine-grained access control does not work for Mutation :: Delete

Closed this issue · 1 comments

StephanDecker commented

We can't implement access control for Mutation :: Delete following this guide here: see https://prisma-appsync.vercel.app/advanced/securing-api.html#%F0%9F%91%89-fine-grained-access-control.

I get the following queryParams:

      operation: 'deleteCar',
      context: { action: 'delete', alias: 'modify', model: 'car' },
      fields: [ 'name' ],
....
....
      paths: [ '/get/car/name' ],
      headers: {}

I think the reason is that the canAccess variable is true by default and the path array only contains the getPath so that we can't apply the delete shielding rules, see.
https://github.com/maoosi/prisma-appsync/blob/main/packages/client/src/guard.ts#L118
I solved it by checking the operation prop of queryParams

    if (params.operation.startsWith('delete')) {
        return {
            '**': {
                rule: doMyCheck(params.operation),
                reason: ({ model }: Context) => `${model} cannot be deleted by ${roles?.join()}`,
            },
        };
    }
maoosi commented

Let's track this issue in #125