Amplify @auth rule on relation

0

I'm new to Amplify and having trouble configuring @auth rules on a model.

The app has two user groups, Event Organisers, and Club Managers. Event Organisers can login and create Events. Club Managers can login and create Teams, which they can register for Events. When a Team is registered for an Event an EventRegistration is created. The models (simplified) look like this:

type Event
  @model
  @auth(rules: [
    # Event organisers create these and can perform CRUD operations.
    { allow: owner },

    # Anyone logged into the system can view events, so they can register.
    { allow: private, operations: [read] },
  ])
{
  id: ID!
  name: String!

  # Many teams can register for the same event.
  eventRegistrations: [EventRegistration!] @hasMany
}
type EventRegistration
  @model
  @auth(rules: [
    # Club managers create these when they register their team for an event. Once 
    # created, registrations are read-only from the club managers perspective.
    { allow: owner, operations: [create, read] }

    # Event organisers can read and update registrations for their events.
    { allow: owner, ownerField: "organiser", operations: [read, update] },
  ])
{
  id: ID!
  organiser: String!
  event: Event! @belongsTo

  # I want to make this readable by event organisers, so they can see teams who have 
  # registered for their event. Currently they can't because of the auth rule on Team.
  team: Team! @belongsTo
}
type Team
  @model
  @auth(rules: [
    { allow: owner }
  ])
{
  id: ID!
  name: String!
  eventRegistrations: [EventRegistration!] @hasMany
}

The problem is, when an Event Organiser queries a list of registrations for their event, the team property is not available, because Event Organisers don't have read access as specified by the Team auth rules.

Note - Event Organisers shouldn't be able to read all teams, just the those registered for their event.

I've thought about a few solutions, but none of them have worked, or felt like the correct way solve the problem.

I tried adding field level auth rules to EventRegistration.team hoping those would take precedence over the rules defined on Team, but that didn't seem to work.

One idea is to add organisers: [String] to the Team model. Then add Event Organisers to the list when a team registers for an event, and remove them when the event is finished, or the team de-registers. But this seems quite error prone, remembering to add / remove access programatically in different scenarios. Event Organisers are also not a concern of the Team model, they really belong on EventRegistration.

I've also considered having a seperate RegisteredTeam model which is essentially a copy of the Team model, with different auth rules, but duplication seems like a bad idea.

Custom auth rules is something else I've seen but haven't dug into yet.

I'm hoping something with more Amplify experience than me can recommend a pattern :)

asked 9 months ago16 views
No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions