By using AWS re:Post, you agree to the Terms of Use

AWS Amplify - Field Level GraphQL Auth on Required Fields


I am trying to set up GraphQL via AWS Amplify so that all users can see part of a Member object (e.g. the name), but only members in certain groups can see other parts (e.g. the e-mail address).

I have set up my schema.graphql as follows (note this is a truncated version):

type Member @model(subscriptions: { level: off }) @auth(rules: [{allow: groups, groups: ["MANAGER"]}, {allow: private, operations: [read]}]) {
  membershipNumber: Int! @primaryKey
  firstName: String!
  lastName: String!
  email: String! @auth(rules: [{allow: groups, groups: ["MANAGER"]}, {allow: groups, groups: ["COMMITTEE"], operations: [read]}])
  dietaryRequirements: String @auth(rules: [{allow: groups, groups: ["MANAGER"]}, {allow: groups, groups: ["COMMITTEE"], operations: [read]}])

As I understand it, all logged in users should be able to read membershipNumber, firstName and lastName. Users in the COMMITTEE group should also be able to read email and dietaryRequirements, and users in the MANAGER group should be able to read/write all fields.

When I try to run a query as a logged in user with no groups though, I get an unauthorized error on dietaryRequirements (which is good) but I am able to read email without an error (which is bad).

The only difference I can see is that email is a required field, whereas dietaryRequirements isn't. What am I doing wrong? Do required fields override the authorization rules?

No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions