Fine-grained access control does not work for Mutation :: Delete
StephanDecker opened this issue · comments
We can't implement access control for Mutation :: Delete following this guide here: see https://prisma-appsync.vercel.app/advanced/securing-api.html#%F0%9F%91%89-fine-grained-access-control.
I get the following queryParams:
operation: 'deleteCar',
context: { action: 'delete', alias: 'modify', model: 'car' },
fields: [ 'name' ],
....
....
paths: [ '/get/car/name' ],
headers: {}
I think the reason is that the canAccess variable is true by default and the path array only contains the getPath so that we can't apply the delete shielding rules, see.
https://github.com/maoosi/prisma-appsync/blob/main/packages/client/src/guard.ts#L118
I solved it by checking the operation prop of queryParams
if (params.operation.startsWith('delete')) {
return {
'**': {
rule: doMyCheck(params.operation),
reason: ({ model }: Context) => `${model} cannot be deleted by ${roles?.join()}`,
},
};
}
