I'm trying to understand how to use AppSync GraphQL Schema and DataStore to grant access to models and sub-models to Users that have been granted access.
Let's say we have a Course model that hasMany Lessons.
I want only Users that have been granted access to a Course to be able to access the Course and its Lessons.
The owner of a Course can also create and access all content for that course.
I was exploring trying to create a Membership model, but can't quite seem to get the auth working correctly, and I'm still not sure how to cascade that all the way down to a Lesson level.
Any assistance on how to best accommodate this would be greatly appreciated.
type Course #model #auth(rules: [{ allow: owner }]) {
id: ID!
title: String!
description: String
status: String
Lessons: [Lesson] #hasMany(indexName: "bySection", fields: ["id"])
}
type Lesson #model #auth(rules: [{ allow: owner }]) {
id: ID!
title: String!
courseID: ID! #index(name: "byCourse")
}
type Membership
#model
#auth(rules: [{ allow: owner, ownerField: "member", operations: [read] }]) {
id: ID!
member: String
Course: Course
#hasOne
#auth(rules: [{ allow: owner, ownerField: "member", operations: [read] }])
}
Related
I'm using AWS Amplify. I have two models like below in my GraphQL schema.
type Class
#model
#auth(rules: [{
allow: owner,
identityClaim: "sub"
}
{
allow: owner
identityClaim: "sub"
ownerField: "studentUserIds"
operations: [read]
}
{
allow: private,
provider: iam
operations: [read]
}
]) {
id: ID!
name: String!
studentUserIds: [String!]
students: [Student!] #connection(keyName: "ClassStudent", fields: ["id"])
}
type Student
#model(queries: null)
#auth(
rules: [
{ allow: owner, identityClaim: "sub", operations: [create, update, delete, read] }
{ allow: private, provider: iam, operations: [create, update, delete, read] }
{ allow: owner, ownerField: "studentUserId", operations: [update, delete] }
{ allow: private, operations: [read] }
]
)
#key(name: "ClassStudent", fields: ["classId", "id"])
#key(name: "ClassesByStudent", fields: ["studentUserId"], queryField: "classesByStudent") {
id: ID!
classId: ID!
class: Class #connection(fields: ["classId"])
studentUserId: ID!
user: User! #connection(fields: ["studentUserId"])
owner: String
}
When I run the classesByStudent using an IAM account, I get an Unauthorized response, even though the IAM provider has read access to both Student and Class tables. What am I doing wrong?
I add the following error:
{"errorType":"Unauthorized","message":"Not Authorized to access onCreateMessage on type Message"}
This was solved for me by creating the amplify/backend/api//custom-roles.json file as described here
I am having an issue running a mutation that was generated by the Amplify CLI.
I'm on node v14.18.1, amplify CLI 7.6.2.
I just recently migrated to the GraphQL Transformer v2.
Here is my model:
type User
#model
#auth(
rules: [
{ allow: groups, groups: ["admin"] }
{ allow: owner, ownerField: "id", operations: [read] }
]
) {
id: ID!
first_name: String
last_name: String
email: String!
customer: Customer #hasOne(fields: ["userCustomerId"])
userCustomerId: ID! #index(name: "usersByCreatedAt", queryField: "usersByCreatedAt" sortKeyFields: ["createdAt"])
createdAt: String!
isAdmin: Boolean
}
The mutation I'm calling from within AppSync:
mutation UpdateUser {
updateUser(input: {id: "asdfasdfasdf", isAdmin: true, last_name: "Franklin", first_name: "Tim", email: "tim#tim.com", userCustomerId: "my_customer"}) {
id
}
}
Error:
{
"data": {
"updateUser": null
},
"errors": [
{
"path": [
"updateUser"
],
"data": null,
"errorType": "MappingTemplate",
"errorInfo": null,
"locations": [
{
"line": 2,
"column": 3,
"sourceName": null
}
],
"message": "Unsupported element '$[operation]'."
}
]
}
Has anyone ran into this error, and how did you resolve it?
Thank you!
Check if there are any .vtl files in project_dir/amplify/backend/api/api_name/resolvers. If there are and you're not sure why/don't recognize them, back up and delete those files, deploy your local backend with amplify push, and see if the mutation succeeds.
I was getting the exact same error during a delete mutation and this resolved it for me. The Amplify CLI auto-generates templates for the API service, but overrides them with any it finds in that directory. Just make sure to back up all of those files before deleting them just in case..
Check what "Data Source" your resolver function is connected to. You can see this information in the AppSync web UI for the given resolver function. If the Data Source is not mapped to the correct place or if it's set to NONE_DS, then all of the operations for the given resolver function will fail.
This error happened to me when I accidentally connected the resolver to the RDS datasource instead of the DynamoDB one.
Here is my GraphQL schema:
type XX #model
#aws_cognito_user_pools
#aws_iam
#auth(
rules: [
{ allow: owner, operations: [create, read, update, delete] },
{ allow: public, provider: iam, operations: [read] },
{ allow: private, provider: userPools, operations: [read] }
]
){
id: ID!
data: String!
}
I have two auth providers, Cognito user pools and IAM. Cognito for authenticated access and IAM for un-authenticated access. the first line in the rules' section is for the authenticated owner, the second line is for un-authenticated access and the last line is for authenticated non-owners. but when I run "amplify codegen models" the above warning rises.
I am trying to get the birthday from the Google API, but the retrieved data in HWIOAuthBundle do not contain it.
I am wondering if the specified scope for google plus api in config.yml is correct or not!
If not, please give a link or the corrected scope.
google:
type: google
client_id: %client_id%
client_secret: %secret_id%
scope: "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile"
paths:
email: email
profilepicture: picture
I just used and tested it using Try It. I tested it with all of the different scopes.
https://www.googleapis.com/auth/plus.login Know your basic profile
info and list of people in your circles.
https://www.googleapis.com/auth/plus.me Know who you are on Google
https://www.googleapis.com/auth/userinfo.email View your email address
https://www.googleapis.com/auth/userinfo.profile View basic
information about your account
It doesn't appear to matter you get back the birthday in all of the scopes. But what does matter is that the Users Birthday must be set to public in the Account. If it's set to anything else, your circles, only you, it's not listed. This appears to be true even when you are trying to see your own information. (Sending Me.)
Update and the year is 2018
The People api now returns the birthday of the current user
People.get However i suspect its linked to google+ so if the user hasn't filled it out you probably wont get info.
GET https://people.googleapis.com/v1/{resourceName=people/*}
Send Resournce name of people/me and birthdays personFields
{
"resourceName": "people/117200475532672775346",
"etag": "%EgQBBzcuGgwBAgMEBQYHCAkKCwwiDDQwaGhWYzc3cXJBPQ==",
"birthdays": [
{
"metadata": {
"primary": true,
"source": {
"type": "PROFILE",
"id": "117200475532672775346"
}
},
"date": {
"month": 1,
"day": 6
}
},
{
"metadata": {
"source": {
"type": "ACCOUNT",
"id": "117200475532672775346"
}
},
"date": {
"year": 1971,
"month": 1,
"day": 6
}
}
]
Normally you will only get birthdays that have public visibility. To get private birthdays you need to use the https://www.googleapis.com/auth/user.birthday.read scope. See documentation for which scopes give you which data https://developers.google.com/people/v1/how-tos/authorizing#profile-scopes.
How to add a custom key in Symfony 2 in-memory user provider?
providers:
administrators:
memory:
users:
admin: { password: admin, roles: [ 'ROLE_USER' ] }
If I modify the above adding an image property the user isn't able to login anymore. Really a strange issue.
providers:
administrators:
memory:
users:
admin: { password: admin, roles: [ 'ROLE_USER' ], image: "img/plh.png" }
Reason is on Error log:
PHP Fatal error: Uncaught exception 'Symfony\Component\Config\Definition\Exception\InvalidConfigurationException' with message 'Unrecognized options "image" under "security.providers.in_memory.memory.users.manage"' in ~/vendor/symfony/symfony/src/Symfony/Component/Config/Definition/ArrayNode.php:306
Check:
https://github.com/symfony/symfony/blob/master/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php#L562
To fix it, you could extend Configuration of the SecurityBundle:
http://symfony.com/doc/current/cookbook/bundles/prepend_extension.html