堆栈内存溢出
  简体   繁体   English

如何防止更新 AWS Amplify GraphQL API 的 ownerField?

[英]How do you prevent updates to the ownerField of an AWS Amplify GraphQL API?

 原文  2021-02-18 20:02:49       amazon-web-services/ graphql/ amplifyjs/ amplify/ aws-amplify-sdk-js

问题描述

I created a GraphQL API using AWS' Amplify.我使用 AWS 的 Amplify 创建了 GraphQL API。 In the schema, I have a Comment model that looks like this:在架构中,我有一条评论 model,如下所示:

type Comment
  @auth(rules: [{ allow: owner }, { allow: private, operations: [read] }, { allow: public, operations: [read] }])
  @model
  @key(name: "byAuthor", fields: ["authorID"])
  @key(name: "byPost", fields: ["postID"]) {
  content: String!
  createdAt: AWSDateTime!
  id: ID!
  owner: String
  postID: ID!
  updatedAt: AWSDateTime!
}

This gives the owner permission to create, read, update, and delete, and restricts unauthenticated/authenticated-non-owner users to read-only.这赋予所有者创建、读取、更新和删除的权限,并将未经身份验证/经过身份验证的非所有者用户限制为只读。 This works as expected;这按预期工作; however, the owner can update the ownerField's value, essentially attributing the comment to another user...which is a no-no.但是,所有者可以更新 ownerField 的值,本质上是将评论归因于另一个用户……这是一个禁忌。 To prevent this, I tried using field-level permissions (see below);为了防止这种情况,我尝试使用字段级权限(见下文); however, that doesn't appear to be stopping the update.但是,这似乎并没有停止更新。

...
owner: String @auth(rules: [{ allow: owner, operations: [ create ]}])
...

Is there something I'm missing?有什么我想念的吗? Any help is much appreciated--thank you!非常感谢任何帮助-谢谢!

1 个解决方案

解决方案1
 3  2021-02-23 16:46:31

You're very close.你很亲密。 Using a field-level @auth directive, you want to explicitly grant the owner the ability to create and read and explicitly deny the world the ability to update and delete .使用字段级@auth指令,您希望明确授予所有者createread的能力,并明确拒绝世界updatedelete的能力。 It might look something like:它可能看起来像:

type Todo
    @model
    @auth(rules: [{ allow: owner, ownerField: "author" }]) {
    id: ID!
    name: String!
    author: String
        @auth(
            rules: [
                { allow: groups, groups: ["FORBIDDEN"], operations: [update, delete] }
                { allow: owner, ownerField: "author", operations: [create, read] }
            ]
        )
}

Here, the "FORBIDDEN" group is a non-existent group.这里,“FOBIDDEN”组是不存在的组。 Its name can be anything so long as you do not plan to actually create a group by that name in the future.它的名称可以是任何名称,只要您将来不打算使用该名称实际创建组即可。 Because no user will ever have the "FORBIDDEN" group claim, any/all update or delete operations on the field will fail.因为任何用户都不会拥有“FORBIDDEN”组声明,所以该字段上的任何/所有updatedelete操作都将失败。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 借助AWS Amplify Auth和GraphQL API,您将如何进行一些公共和私有查询/突变调用? - With AWS Amplify Auth and GraphQL API, how would you have some public, and some private query/mutation calls? 如何为 AWS 放大 GraphQL API 添加服务器端业务逻辑? - How to add server side business logic for a AWS amplify GraphQL API? 在 AWS Amplify 中更改我的 GraphQL 架构时如何防止丢失生产数据? - How to prevent losing production data when changing my GraphQL schema in AWS Amplify? 带有AWS Amplify的GraphQL-如何启用查询排序 - GraphQL with AWS Amplify - how to enable sorting on query 如何在 React 中为 AWS 放大 GraphQL 响应设置打字稿类型? - How do I set typescript types for an AWS amplify GraphQL response in React? Aws 在一个 GraphQL Api 中使用多个 Cognito 用户池进行放大 - Aws Amplify Using Multiple Cognito User Pools in One GraphQL Api 必须在AWS放大中为Source提供graphql API调用 - Must provide Source with graphql API call in AWS amplify Flutter aws 在调用 graphql api 时放大不返回数据 - Flutter aws amplify not returning data when calling graphql api 通过 Amplify 使用 AWS appsync api(GraphQL) 有什么限制? - What are the limitations of using AWS appsync api(GraphQL) through Amplify? AWS amplify graphql appsync - 不返回已删除的项目? - AWS amplify graphql appsync - do not return deleted items?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM