如何在appsync中检查实体的创建权限 [英] How to check permissions of an entity on create in appsync
问题描述
抱歉标题不明确.但是,我很难描述它.
Sorry for the unspecific title. However, I am having a hard time to describe it.
我使用 aws-appsync 和 aws cognito 进行身份验证.
I am using aws-appsync with aws cognito for authentication.
我已经按照关于 @auth 注释的放大文档来处理突变和查询的权限.
I've followed the amplify docs about the @auth annotation to handle permissions for mutations and queries.
这是我的架构示例.用户可以创建条目并与他人共享.但是,他们只能阅读该条目,而无权对其进行编辑.
Here is an example of my schema. A user can create an entry and share it with others. However, they should only read the entry and should not have permissions to edit it.
一个条目也有多个注释.(以及更多字段)
An entry also has multiple notes. (And some more fields)
type Entry @model @versioned @auth (rules: [
{ allow: owner },
{ allow: owner, ownerField: "shared", queries: [get, list], mutations: []}
]) @searchable {
id: ID!
date: AWSDate
updated_at: AWSDateTime
text: String
notes: [Note] @connection(name: "EntryNotes")
shared: [String]!
}
这是笔记
type Note @model @versioned @auth (rules: [{ allow: owner }]) {
id: ID!
text: String
track: Track!
diary: DiaryEntry @connection(name: "EntryNotes")
}
到目前为止,这工作正常.但问题是 Note 连接.因为如果你创建一个笔记,你会像这样创建它:
This works fine so far. But the problem is the Note connection.
Because if you create a note you would create it like this:
mutation makeNote {
createNote (input: {
text: "Hello there!"
noteEntryId: "444c80ee-6fd9-4267-b371-c2ed4a3ccda4"
}) {
id
text
}
}
现在的问题是,您可以为您无权访问的条目创建注释.如果您以某种方式找出他们拥有的 ID.
The problem is now, that you can create notes for entries that you do not have access to. If you somehow find out which id they have.
有没有办法在创建笔记之前检查您是否拥有该条目的权限?
Is there a way to check if you have permissions to the entry before creating the note?
推荐答案
目前,执行此操作的最佳方法是通过 Amplify CLI 中的自定义解析器.具体来说,您可以在创建注释之前使用 AppSync 管道解析器来执行授权检查.您的管道解析器将包含两个功能.第一个将查找条目并将所有者与 $ctx.identity 进行比较.第二个函数将处理将记录写入 DynamoDB.您可以使用在 build/resolvers/Mutation.createNote.re(q|s).vtl 中找到的相同逻辑,通过将其复制到顶级 resolvers/ 来实现第二个功能code> 目录,然后从您的自定义资源中引用它.复制逻辑后,您需要通过将 @model 更改为 @model(mutations: { update: "updateNote", delete: "deleteNote" }) 来禁用默认的 createNote 突变.代码>.
Currently, the best way to do this is via custom resolvers within the Amplify CLI. Specifically, you are able to use AppSync pipeline resolvers to perform the authorization check before creating the note. Your pipeline resolver would contain two functions. The first would look up the entry and compare the owner to the $ctx.identity. The second function would handle writing the record to DynamoDB. You can use the same logic found in build/resolvers/Mutation.createNote.re(q|s).vtl to implement the second function by copying it into the top level resolvers/ directory and then referencing it from your custom resource. After copying the logic, you will want to disable the default createNote mutation by changing @model to @model(mutations: { update: "updateNote", delete: "deleteNote" }).
有关如何设置自定义解析器的更多信息,请参阅 https://aws-amplify.github.io/docs/cli/graphql#add-a-custom-resolver-that-targets-a-dynamodb-table-来自模型.有关管道解析器的更多信息(与放大文档中的示例略有不同),请参阅 https://docs.aws.amazon.com/appsync/latest/devguide/pipeline-resolvers.html.另请参阅 AppSync 的 CloudFormation 参考文档 https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-reference-appsync.html.
For more information on how to setup custom resolvers see https://aws-amplify.github.io/docs/cli/graphql#add-a-custom-resolver-that-targets-a-dynamodb-table-from-model. For more information on pipeline resolvers (slightly different than the example in the amplify docs) see https://docs.aws.amazon.com/appsync/latest/devguide/pipeline-resolvers.html. Also see the CloudFormation reference docs for AppSync https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-reference-appsync.html.
展望未来,我们正在设计一种允许您定义跨越@connections 的身份验证规则的设计.完成后,它会自动配置此模式,但尚未确定发布日期.
Looking towards the future, we are working on a design that would allow you to define auth rules that span @connections. When this is done, it will automatically configure this pattern but there is not yet a set release date.
这篇关于如何在appsync中检查实体的创建权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
