Fine-grained access control does not work for nested create/connectOrCreate fields

Question

Fine-grained access control does not work for nested create/connectOrCreate fields

StephanDecker opened this issue a year ago · 2 comments

Let's say we have the following object:

{
   "car":{
      "name":"Audi",
      "color":{
         "create":{
            "name":"yellow"
         }
      },
      "type":{
         "connect":{
            "name":"SUV"
         }
      }
   }

We do want to allow to connect to existing record (type) but we don't want to allow to create a new record (color). Currently that's not possible because there is no difference in the paths array:

paths: ['/create/car/color/name', '/create/car/type/name'....]

Another problem with the path object is that type (allowed) overwrites the falsy canAccess variable of color by iterating first through the path array and then through the shield object, see:
https://github.com/maoosi/prisma-appsync/blob/main/packages/client/src/guard.ts#L118-L121

I solved both issues by iterating through the params.args.data object where you can filter by ['create', 'connectOrCreate']

PS: Thanks again for your great lib!

Answer 1 · 2023-03-11T15:34:44.000Z

@maoosi Similar to an issue I created recently. Being able to omit certain operation paths from the data field in Mutation inputs.

Answer 2 · 2023-03-15T04:13:30.000Z

Let's track this issue in #125