I am trying to set up GraphQL via AWS Amplify so that all users can see part of a Member object (e.g. the name), but only members in certain groups can see other parts (e.g. the e-mail address).
I have set up my schema.graphql
as follows (note this is a truncated version):
type Member @model(subscriptions: { level: off }) @auth(rules: [{allow: groups, groups: ["MANAGER"]}, {allow: private, operations: [read]}]) {
membershipNumber: Int! @primaryKey
firstName: String!
lastName: String!
email: String! @auth(rules: [{allow: groups, groups: ["MANAGER"]}, {allow: groups, groups: ["COMMITTEE"], operations: [read]}])
dietaryRequirements: String @auth(rules: [{allow: groups, groups: ["MANAGER"]}, {allow: groups, groups: ["COMMITTEE"], operations: [read]}])
}
As I understand it, all logged in users should be able to read membershipNumber
, firstName
and lastName
. Users in the COMMITTEE group should also be able to read email
and dietaryRequirements
, and users in the MANAGER group should be able to read/write all fields.
When I try to run a query as a logged in user with no groups though, I get an unauthorized error on dietaryRequirements
(which is good) but I am able to read email
without an error (which is bad).
The only difference I can see is that email
is a required field, whereas dietaryRequirements
isn't. What am I doing wrong? Do required fields override the authorization rules?