Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DataStore] Detected multiple owner type auth rules with a READ operation #10001

Closed
5 tasks done
Simon-PumpAndUp opened this issue Jun 17, 2022 · 7 comments
Closed
5 tasks done

[DataStore] Detected multiple owner type auth rules with a READ operation #10001

Simon-PumpAndUp opened this issue Jun 17, 2022 · 7 comments
Assignees
@chrisbonifacio
Labels
DataStore Related to DataStore category transferred This issue was transferred from another Amplify project

Comments

@Simon-PumpAndUp
Copy link

Before opening, please confirm:

  • I have installed the latest version of the Amplify CLI (see above), and confirmed that the issue still persists.
  • I have searched for duplicate or closed issues.
  • I have read the guide for submitting bug reports.
  • I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
  • I have removed any sensitive information from my code snippets and submission.

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

No response

Amplify CLI Version

8.5.1

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No manual changes made

Amplify Categories

api

Amplify Commands

Not applicable

Describe the bug

Having two owner auth rules like so:

type Todo @model @auth(rules: [
  { allow: owner }
  { allow: owner, ownerField: "user", operations: [read] }
])

doesn't work :
DataStoreException{message=Error during subscription., cause=ApiAuthException{message=Detected multiple owner type auth rules with a READ operation, cause=null, recoverySuggestion=We currently do not support this use case. Please limit your type to just one owner auth rule with a READ operation restriction.}, recoverySuggestion=Evaluate details.}

There are open issue for ios, I didn't open it for flutter but here instead.

aws-amplify/amplify-swift#1780
aws-amplify/amplify-cli#10110

Expected behavior

AppSync should automatically sync down the entities where user is one of the owners.

Reproduction steps

See bug

GraphQL schema(s)

# Put schemas below this line

Log output

# Put your logs below this line

Additional information

No response
@josefaidt
Copy link
Contributor

Hey @Simon-PumpAndUp 👋 thanks for raising this! Since this is a DataStore-related issue I'm going to transfer this over to our amplify-js repo for better assistance 🙂

@josefaidt josefaidt transferred this issue from aws-amplify/amplify-cli Jun 17, 2022
@josefaidt josefaidt added the transferred This issue was transferred from another Amplify project label Jun 17, 2022
@chrisbonifacio chrisbonifacio self-assigned this Jun 17, 2022
@chrisbonifacio chrisbonifacio added DataStore Related to DataStore category pending-triage Issue is pending triage labels Jun 17, 2022
@chrisbonifacio
Copy link
Member

@Simon-PumpAndUp Hey! thanks for raising this issue. For this use case, we'd recommend using a Cognito User Group authorization rule to restrict access/permissions to different types of users. If you're trying to limit permissions for a sole owner of a record, you can set the read permission on the first owner rule. The ownerFields or any other dynamic auth rules are not currently supported in DataStore.

For more information, please refer to our docs: https://docs.amplify.aws/cli/graphql/authorization-rules/#user-group-based-data-access

@chrisbonifacio chrisbonifacio removed the pending-triage Issue is pending triage label Aug 8, 2022
@maziarzamani
Copy link

@Simon-PumpAndUp Hey! thanks for raising this issue. For this use case, we'd recommend using a Cognito User Group authorization rule to restrict access/permissions to different types of users. If you're trying to limit permissions for a sole owner of a record, you can set the read permission on the first owner rule. The ownerFields or any other dynamic auth rules are not currently supported in DataStore.

For more information, please refer to our docs: https://docs.amplify.aws/cli/graphql/authorization-rules/#user-group-based-data-access

This limitation has been going on for a while (more than a year). Any idea when it will be resolved?

@NiksanJP
Copy link

This is such a huge risk, what if your messages can be read by people who find vulnerability?
Datastore is very secure for this reason.

@Simon-PumpAndUp
Copy link
Author

This is such a huge risk, what if your messages can be read by people who find vulnerability? Datastore is very secure for this reason.

Hey @NiksanJP, can you elaborate please? My use case is about having two or more people having a same record sync to their datastore.

@NiksanJP
Copy link

@Simon-PumpAndUp So I went through a few tutorials on how we can share collection using ownerfield for DataStore.
Seems like we cannot use ownerfield on DataStore and sharing between two user is not possible. Plus if you need to configure a different access to other owners, it seems like that is not possible. If I am wrong please correct me, an example of schema of sharing a message between two users would be nice.

I have seen countless times where owner checks has been done at the front like if collection.owner == user.id

@Simon-PumpAndUp
Copy link
Author

@NiksanJP Thx for having a look on this mate! I ended up with the same conclusions and used AppSync subscriptions to solve this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chrisbonifacio chrisbonifacio

Labels
DataStore Related to DataStore category transferred This issue was transferred from another Amplify project
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@maziarzamani @josefaidt @chrisbonifacio @NiksanJP @Simon-PumpAndUp