-
Notifications
You must be signed in to change notification settings - Fork 202
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: add granular read ops enum #2720
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are there any existing tests associated with these additional operations?
@phani-srikar ; No, we don't have test cases cover these additional operations. @AaronZyLee ; Have you performed manual testing to ensure that these additional operation types are functioning as expected? |
// granular read access | ||
case `get` | ||
case list | ||
case sync | ||
case listen | ||
case search | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we start off by attaching the generated Model swift types that utilizes these new granular read access cases? By doing so, we can update the source schema that we use to reference the generated types.
Is there an sort of relevant API calls that we can write, either in the unit or integration tests, utilizing these models, and asserting the expected behavior?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The example schema using it is
type Todo @model
@auth(rules:[
{ allow: public, operations: [get, list, listen, sync, search] },
{ allow: owner }
])
{
id: ID!
name: String
}
The model files can be generated by the current version of modelgen, which has the following line generated
model.authRules = [
rule(allow: .public, operations: [.get, .list, .listen, .sync, .search]),
rule(allow: .owner, ownerField: "owner", identityClaim: "cognito:username", provider: .userPools, operations: [.create, .update, .delete, .read])
]
In DataStore, we get the authtypes based on
|
case read | ||
// granular read access | ||
case `get` | ||
case list | ||
case sync | ||
case listen | ||
case search |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I bet a lot of logic is determined by checking if the operation is .read
and does something. Now that we allow compiling the more granular "read" types, that means all logic based on "read" should now be updated to
- If the previous check for read expected all granular read access then update the code to "if operation == read || operations.containsAll(list, sync, listen, search)"
- If the previous check for read expected just the sync API (for example DataStore's sync operation), then code can be updated to "if operation == read || operation == sync)"
- If previous check for read expected that the subscription API is used then --> "operation == read or operation == "listen"
The datastore usage is out of scope of this PR as mentioned in the description. This is for the API users to get the modelgen files compiled |
Customers can use DataStore, and if they have more granular access including listen and sync, then their models may not work as expected because DataStore's sync code checks for "read" access, not "read" or "sync" access. By allowing them to compile the App with the generated models, will cause other unintended behaviors when using DataStore at runtime |
Next steps, this comment #2720 (comment) captures some the concern over introducing more granular operations that was "sub-operations" of |
Is there any update on this? I'm using Amplify Gen2 as well and don't get any errors when adding |
Issue #
aws-amplify/amplify-flutter#2526
#3038
Description
Add granular read operation enums in model auth operation rule
Refer https://docs.amplify.aws/cli/graphql/authorization-rules/#how-it-works
The purpose of adding enum in library is to ensure the model files generated by modelgen will be compiled. However, this is not intended for Datastore usage but for those who use modelgen files along with API plugin. It is not recommended to use them in the datastore due to the prerequisite of
sync
andlisten
. This is documented in the calloutGeneral Checklist
Given When Then
inline code documentation and are named accordinglytestThing_condition_expectation()
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.