Fine-grained access control does not work for nested create/connectOrCreate fields
StephanDecker opened this issue · 2 comments
StephanDecker commented
Let's say we have the following object:
{
"car":{
"name":"Audi",
"color":{
"create":{
"name":"yellow"
}
},
"type":{
"connect":{
"name":"SUV"
}
}
}
We do want to allow to connect to existing record (type
) but we don't want to allow to create a new record (color
). Currently that's not possible because there is no difference in the paths
array:
paths: ['/create/car/color/name', '/create/car/type/name'....]
Another problem with the path object is that type
(allowed) overwrites the falsy canAccess
variable of color
by iterating first through the path
array and then through the shield
object, see:
https://github.com/maoosi/prisma-appsync/blob/main/packages/client/src/guard.ts#L118-L121
I solved both issues by iterating through the params.args.data
object where you can filter by ['create', 'connectOrCreate']
PS: Thanks again for your great lib!
cjjenkinson commented