Getting "Unauthorized on [field]" with update permissions if trying to modify a field to null #2487
Comments
|
Hi @AleksandarGT, can you try removing the field altogether from your selection set, instead of re-setting it to |
|
If I remove the field from an update query it will not update the field of the record so it will be fine. However, this is not the desired functionality, I just want to set a given value to null. |
|
tl;dr: You need to give the owner Background Setting a field to With that in mind, you can verify that owner doesn't have permissions to set that field to (Note the entry in To allow owners to delete a single field, you'll need to add field-level auth to specify that intent. (Don't forget that field-level auth rules aren't inherited: an auth rule on a field overrides any model-level auth. So you'll need to specify all allowable permissions on that field.) type User
@model
@auth(
rules: [
# Everyone logged in can read data
{ allow: private, operations: [read] }
{ allow: groups, groups: ["Admin"] }
{
allow: owner
ownerField: "owner"
identityClaim: "username"
operations: [read, update]
}
]
) {
id: ID!
about: String
@auth(
rules: [
# Everyone logged in can read data
{ allow: private, operations: [read] }
{ allow: groups, groups: ["Admin"] }
{
allow: owner
ownerField: "owner"
identityClaim: "username"
operations: [read, update, delete]
}
]
)
}Now the ACM looks as you expect: And setting the field to Update query # Logged in as user1
mutation MyMutation {
updateUser(input: {id: "uid-1", about: null}) {
id
owner
about
}
}Update result {
"data": {
"updateUser": {
"id": "uid-1",
"owner": "user1",
"about": null
}
}
}Delete query # logged in as user1
mutation MyMutation {
deleteUser(input: {id: "uid-1"}) {
id
owner
about
}
}Delete result {
"data": {
"deleteUser": null
},
"errors": [
{
"path": [
"deleteUser"
],
"data": null,
"errorType": "Unauthorized",
"errorInfo": null,
"locations": [
{
"line": 2,
"column": 3,
"sourceName": null
}
],
"message": "Not Authorized to access deleteUser on type Mutation"
}
]
}Hope this helps. |
palpatim
added
question
How did you install the Amplify CLI?
npm
If applicable, what version of Node.js are you using?
v16.16.0
Amplify CLI Version
12.10.1
What operating system are you using?
Windows
Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.
No manual changes made
Describe the bug
When I give permissions for owners of a record to only be able to read and update it, they cannot update a field to null even if it was already null.
I need to give them permissions for create and delete in order to be able to modify the given field.
GraphQL model
type User
@model
@auth(
rules: [
# Everyone logged in can read data
{ allow: private, operations: [read] }
{ allow: groups, groups: ["Admin"] }
{ allow: owner, ownerField: "owner", identityClaim: "username", operations: [read, update] }
]
) {
id: ID!
about: String
Using Angular codegen, if I try to do
I will get the following error
Adding create and delete permissions seems to fix the problem. However, I don't want users to be able to create new User records or delete their existing User record.
Expected behavior
Owners of a record should be able to update any field on their record by using the update permissions.
Reproduction steps
Project Identifier
No response
Log output
Additional information
Project is running on amplify version
"aws-amplify": "^5.3.18",
Before submitting, please confirm:
The text was updated successfully, but these errors were encountered: