Amplify-js: Fetching with predicates ignores models auth rules (DataStore)
Describe the bug
Using predicates with DataStore, auth rules seem to be totally ignored if you are setting a model only accessible by the owner, and the query is call using predicates the auth owner rules is ignored and every item from the DB that fulfills the predicate logic and all items that satisfy the predicates are returned even those owned by another user.
To Reproduce
Steps to reproduce the behavior:
- Create a model with simple owner base auth rule Ex.
type Item @model @auth(rules: [{ allow: owner }]) {...} - Generate your model and deploy your schema (pm run amplify-modelgen and amplify push)
- Create Items from 2 different users
- Now query those the Items using predicates Ex.
await DataStore.query(Property, (c) => c.available("eq", false)) - The response will return all the Items with key "available" false, even those from created by the other user
Expected behavior
Predicates should not violate models auth rules, returning only the filtered owner models
alexandprivate
All 6 comments
Hi @alexandprivate
Every operation you do on the DataStore happens locally first. What you are seeing is that your local data still has data from another user.
Here the recomendation is to clear the DataStore when a user signs out/in with:
DataStore.clear();
I noticed you brought this up in https://github.com/aws-amplify/amplify-js/issues/6108#issuecomment-664751765 too
I'll add a note there pointing here.
manueliglesias
on 29 Jul 2020
Hi there @manueliglesias thats exactly what's happening, any recommendation to achieve this using withAuthenticator? In that case, AmplifySignOut component should do that by default or accept a prop in order to handle the operation.
Since using auth API to signout dont work when the app is wrapped in the latest version of @aws-amplify/ui-react
This wont work till the page is refreshed
const handleSignOut = async () => {
await Auth.signOut()
await DataStore.clear()
history.push("/")
}
only using AmplifySignOut will load the wrapper over the app again
import { AmplifySignOut } from "@aws-amplify/ui-react"
alexandprivate
on 29 Jul 2020
Hi there @manueliglesias I'm using a workaround to clear DataStore data in the browser with the latest version of withAuthenticator/@aws-amplify/ui-react just is not the fancies but it works.
- Avoid using the AmplifySingOut component to log out
- Use Auth API to sign out, clear datastore and refresh the window later
You need to refresh the window since the latest version of withAuthenticator does not listen to the Auth.signOut()
Hope this helps as a temporary solution, ideally, we should either pass the datasore.clear method to the AmplifySignOut component via props or like in older versions make the withAuthenticator component listen the auth.signOut
alexandprivate
on 29 Jul 2020
@alexandprivate i think you maybe able to use onAuthUIStateChange to do this on AuthState.SignedOut. Have you tried using this function in your withAuthenticator?
ashika01
on 30 Jul 2020
Hi there @ashika01 certainly not, let take a look at it.
alexandprivate
on 30 Jul 2020
Hi there @ashika01 it works like a charm! I'm leaving a hint here just in case someone needs to use it
@manueliglesias this could be closed if you want.
alexandprivate
on 30 Jul 2020
Related issues
benevolentprof
路
3Comments
simon998yang
路
3Comments
shinnapatthesix
路
3Comments
rayhaanq
路
3Comments
cgarvis
路
3Comments
Most helpful comment
Hi there @ashika01 it works like a charm! I'm leaving a hint here just in case someone needs to use it
@manueliglesias this could be closed if you want.