如何在AppSync中创建时检查实体的权限 [英] How to check permissions of an entity on create in appsync
问题描述
对不起,标题不确定.但是,我很难描述它.
Sorry for the unspecific title. However, I am having a hard time to describe it.
我正在使用 aws-appsync 和 aws cognito 进行身份验证.
I am using aws-appsync with aws cognito for authentication.
我一直关注有关 @auth 批注的放大文档,以处理突变和查询的权限.
I've followed the amplify docs about the @auth annotation to handle permissions for mutations and queries.
这是我的架构的一个示例.用户可以创建一个条目并与他人共享.但是,他们应该只读取条目,并且没有权限对其进行编辑.
Here is an example of my schema. A user can create an entry and share it with others. However, they should only read the entry and should not have permissions to edit it.
一个条目也有多个注释.(还有更多字段)
An entry also has multiple notes. (And some more fields)
type Entry @model @versioned @auth (rules: [
{ allow: owner },
{ allow: owner, ownerField: "shared", queries: [get, list], mutations: []}
]) @searchable {
id: ID!
date: AWSDate
updated_at: AWSDateTime
text: String
notes: [Note] @connection(name: "EntryNotes")
shared: [String]!
}
这是笔记
type Note @model @versioned @auth (rules: [{ allow: owner }]) {
id: ID!
text: String
track: Track!
diary: DiaryEntry @connection(name: "EntryNotes")
}
到目前为止,这个方法工作正常.但是问题出在 Note 连接上.因为如果创建便笺,您将像这样创建便笺:
This works fine so far. But the problem is the Note connection.
Because if you create a note you would create it like this:
mutation makeNote {
createNote (input: {
text: "Hello there!"
noteEntryId: "444c80ee-6fd9-4267-b371-c2ed4a3ccda4"
}) {
id
text
}
}
现在的问题是,您可以为无权访问的条目创建注释.如果您以某种方式找出他们有哪个ID.
The problem is now, that you can create notes for entries that you do not have access to. If you somehow find out which id they have.
是否可以在创建便笺之前检查您是否拥有该条目的权限?
Is there a way to check if you have permissions to the entry before creating the note?
推荐答案
当前,最好的方法是通过Amplify CLI中的自定义解析器.具体来说,您可以使用AppSync管道解析器在创建注释之前执行授权检查.您的管道解析器将包含两个功能.第一个将查找条目并将所有者与$ ctx.identity进行比较.第二个功能将处理将记录写入DynamoDB.您可以使用在 build/resolvers/Mutation.createNote.re(q | s).vtl 中找到的相同逻辑,通过将第二个功能复制到顶级 resolvers/code>目录,然后从您的自定义资源中引用它.复制逻辑后,您需要通过将 @model 更改为 @model来禁用默认的createNote突变(突变:{更新:"updateNote",删除:"deleteNote"}).
Currently, the best way to do this is via custom resolvers within the Amplify CLI. Specifically, you are able to use AppSync pipeline resolvers to perform the authorization check before creating the note. Your pipeline resolver would contain two functions. The first would look up the entry and compare the owner to the $ctx.identity. The second function would handle writing the record to DynamoDB. You can use the same logic found in build/resolvers/Mutation.createNote.re(q|s).vtl to implement the second function by copying it into the top level resolvers/ directory and then referencing it from your custom resource. After copying the logic, you will want to disable the default createNote mutation by changing @model to @model(mutations: { update: "updateNote", delete: "deleteNote" }).
有关如何设置自定义解析器的更多信息,请参见 https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-reference-appsync.html .
For more information on how to setup custom resolvers see https://aws-amplify.github.io/docs/cli/graphql#add-a-custom-resolver-that-targets-a-dynamodb-table-from-model. For more information on pipeline resolvers (slightly different than the example in the amplify docs) see https://docs.aws.amazon.com/appsync/latest/devguide/pipeline-resolvers.html. Also see the CloudFormation reference docs for AppSync https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-reference-appsync.html.
展望未来,我们正在设计一种允许您定义跨越@connections的身份验证规则的设计.完成后,它将自动配置此模式,但尚未设置发布日期.
Looking towards the future, we are working on a design that would allow you to define auth rules that span @connections. When this is done, it will automatically configure this pattern but there is not yet a set release date.
这篇关于如何在AppSync中创建时检查实体的权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
