Amplify @auth rule on relation
I'm new to Amplify and having trouble configuring @auth rules on a model.
The app has two user groups, Event Organisers, and Club Managers. Event Organisers can login and create Events
. Club Managers can login and create Teams
, which they can register for Events
. When a Team
is registered for an Event
an EventRegistration
is created. The models (simplified) look like this:
type Event
@model
@auth(rules: [
# Event organisers create these and can perform CRUD operations.
{ allow: owner },
# Anyone logged into the system can view events, so they can register.
{ allow: private, operations: [read] },
])
{
id: ID!
name: String!
# Many teams can register for the same event.
eventRegistrations: [EventRegistration!] @hasMany
}
type EventRegistration
@model
@auth(rules: [
# Club managers create these when they register their team for an event. Once
# created, registrations are read-only from the club managers perspective.
{ allow: owner, operations: [create, read] }
# Event organisers can read and update registrations for their events.
{ allow: owner, ownerField: "organiser", operations: [read, update] },
])
{
id: ID!
organiser: String!
event: Event! @belongsTo
# I want to make this readable by event organisers, so they can see teams who have
# registered for their event. Currently they can't because of the auth rule on Team.
team: Team! @belongsTo
}
type Team
@model
@auth(rules: [
{ allow: owner }
])
{
id: ID!
name: String!
eventRegistrations: [EventRegistration!] @hasMany
}
The problem is, when an Event Organiser queries a list of registrations for their event, the team
property is not available, because Event Organisers don't have read access as specified by the Team
auth rules.
Note - Event Organisers shouldn't be able to read all teams, just the those registered for their event.
I've thought about a few solutions, but none of them have worked, or felt like the correct way solve the problem.
I tried adding field level auth rules to EventRegistration.team
hoping those would take precedence over the rules defined on Team
, but that didn't seem to work.
One idea is to add organisers: [String]
to the Team
model. Then add Event Organisers to the list when a team registers for an event, and remove them when the event is finished, or the team de-registers. But this seems quite error prone, remembering to add / remove access programatically in different scenarios. Event Organisers are also not a concern of the Team
model, they really belong on EventRegistration
.
I've also considered having a seperate RegisteredTeam
model which is essentially a copy of the Team
model, with different auth rules, but duplication seems like a bad idea.
Custom auth rules is something else I've seen but haven't dug into yet.
I'm hoping something with more Amplify experience than me can recommend a pattern :)
- Mais recentes
- Mais votos
- Mais comentários
Conteúdo relevante
- AWS OFICIALAtualizada há 2 anos
- AWS OFICIALAtualizada há 2 anos
- AWS OFICIALAtualizada há 2 anos
- AWS OFICIALAtualizada há 2 anos