Closed
Description
Description
I have a table using authorization rules with cognito groups
type Item @model
@auth(rules: [
{ allow: groups, groups: ["Admin"], operations: [create, update, read, delete] }
{ allow: groups, groups: ["Api","Operative"], operations: [create, update, read] }
{ allow: groups, groups: ["Guest"], operations: [read] }
]) profile Operative has. permission "update" but not. delete.
when I try to update a item whit this code:
final oldItem = (await Amplify.DataStore.query(Item.classType,
where: Item.TENANTID.eq(itm.tenantId).and(Item.ID.eq(itm.id))))
.first;
final List<S3Object>? images = oldItem.images;
final List<S3Object> nImage = [...img, ...?images];
final newItem =
oldItem.copyWith(tenantId: itm.tenantId, id: itm.id, images: nImage);
try {
await Amplify.DataStore.save(newItem);
} on DataStoreException catch (e) {
developer.log('error saving new image: ${e.message}');
}This code only update a field "images" and generates the following error:
AppSync response contained errors = [GraphQLResponse.Error{message='Unauthorized on [production, description, cattleLot lastOwner, letag, admissionDate, cost, purchase, market, retag, sale]', locations='[GraphQLLocation{line='2', column='3'}]',
path='[GraphQLPathSegment{value='updateItem'}]', extensions='{errorInfo=null, data=null, errorType=Unauthorized}'}], errors=[GraphQLResponse.Error{message='Unauthorized on [production, description, cattleLot, lastOwner, letag, admissionDate, cost, purchase, market, retag, sale]', locations='[GraphQLLocation{line='2', column='3'}]', but, if I add a. "delete" permission
{ allow: groups, groups: ["Api","Operative"], operations: [create, update, read, delete] }update record works fine.
Does my update function have any errors?
What are the auth rules for. update (without delete permission) ?
Kind regards
Thanks. for your. time
Categories
- Analytics
- API (REST)
- API (GraphQL)
- Auth
- Authenticator
- DataStore
- Notifications (Push)
- Storage
Steps to Reproduce
configure DynamoDB/ API /. AUTH with cognate group access.
define a auth rule. with update but without delete permission
tries to. update a item
Screenshots
No response
Platforms
- iOS
- Android
- Web
- macOS
- Windows
- Linux
Flutter Version
3.22.2
Amplify Flutter Version
2.2.0
Deployment Method
Amplify CLI
Schema
type Item @model
@auth(rules: [
{ allow: groups, groups: ["Admin"], operations: [create, update, read, delete] }
{ allow: groups, groups: ["Api","Operative"], operations: [create, update, read, delete] }
{ allow: groups, groups: ["Guest"], operations: [read] }
])
{
tenantId: ID! @primaryKey(sortKeyFields: ["id"]) # customized foreign key for parent primary key
#tenantId: ID! @primaryKey(sortKeyFields: ["id"])
locationId: ID! @index(sortKeyFields: ["ck"])
location: String!
#location: String! @index(sortKeyFields: ["ck"])
id: ID!
group: String
groupId: String
parcel: String
parcelId: String
cattleLot: String
ck: String!
ckt: String
aid: String
altaid: String
alias: String
name: String
description: String
admissionDate: AWSDate
lastOwner: String
cost: Float
market: AWSDate
purchase: Float
retag: String
letag: String
eid: String
events: [Event]
production: [Production]
weights: [Weight]
images: [S3Object]
documents: [S3Object]
type: AnimalType!
gender: Gender!
breed: String
color: String
status: ItemStatus!
sale: Float
}
type S3Object {
name: String
date: AWSDateTime!
bucket: String!
region: String!
key: String
localPath: String
ownerId: String
ownerName: String
}