I am trying to set up GraphQL via AWS Amplify so that all users can see part of a Member object (e.g. the name), but only members in certain groups can see other parts (e.g. the e-mail address).
I have set up my schema.graphql as follows (note this is a truncated version):
type Member @model(subscriptions: { level: off }) @auth(rules: [{allow: groups, groups: ["MANAGER"]}, {allow: private, operations: [read]}]) {
membershipNumber: Int! @primaryKey
firstName: String!
lastName: String!
email: String! @auth(rules: [{allow: groups, groups: ["MANAGER"]}, {allow: groups, groups: ["COMMITTEE"], operations: [read]}])
dietaryRequirements: String @auth(rules: [{allow: groups, groups: ["MANAGER"]}, {allow: groups, groups: ["COMMITTEE"], operations: [read]}])
}
As I understand it, all logged in users should be able to read membershipNumber, firstName and lastName. Users in the COMMITTEE group should also be able to read email and dietaryRequirements, and users in the MANAGER group should be able to read/write all fields.
When I try to run a query as a logged in user with no groups though, I get an unauthorized error on dietaryRequirements (which is good) but I am able to read email without an error (which is bad).
The only difference I can see is that email is a required field, whereas dietaryRequirements isn't. What am I doing wrong? Do required fields override the authorization rules?
AWS OFICIALAtualizada há 2 anos