{
"rules": {
"users":{
"$uid":{
".read": "auth.uid == $uid",
".write": "auth.uid == $uid",
}
}
}
}
I want the users who are under the users node only have access to both read and write and those who are not under the users node only have access to read. I wrote this rule but it says some error like Admin: false.
This is most common usage of firebase real time database rule if user is exist can read and write and if user not exists than only read the database.
{
"rules": {
".read": true,
".write": "auth != null"
}
}
Related
Given "user has many links" (what means a link was created by a user) DB entities relations, I want to develop API to fetch links along with users so that the returned data does not contain duplicated users.
In other words, instead of this request:
query {
links {
id
user {
id email
}
}
}
that returns the following data:
{
"data": {
"links": [
{
"id": 1,
"user": {
"id": 2,
"email": "user2#example.com"
}
},
{
"id": 2,
"user": {
"id": 2,
"email": "user2#example.com"
}
}
]
}
}
I want to make a request like this (note the "references" column):
query {
links {
id
userId
}
references {
users {
id
email
}
}
}
that returns associated users without duplicates:
{
"data": {
"links": [
{
"id": 1,
"userId": 2
},
{
"id": 2,
"userId": 2
},
],
"references": {
"users": [
{
"id": 2,
"email": "user2#example.com"
}
]
}
}
}
That should reduce amount of data transferred between client and server that adds a bit of speed boost.
Is there ready common implementation on any language of that idea? (Ideally, seeking for Ruby)
It's not a query or server role to normalize data.
there are no such possibilities in GraphQL specs;
server must return all asked fields within queried [response] structure;
... but you can implement some:
standarized (commonly used) pagination (relay style edges/nodes, nodes only or better both);
query [complexity] weights to promote this optimized querying style - separate problem;
reference dictionary field within queried type;
links {
egdes {
node {
id
title
url
authorId
# possible but limited usage with heavy weights
# author {
# id
# email
# }
}
}
pageInfo {
hasNextPages
}
referencedUsers {
id
email
}
}
where:
User has id and email props;
referencedUsers is [User!] type;
node.author is User type;
Normalizing Graphql client, like Apollo, can easily access cached user fields without making separate requests.
You can render (react?) some <User/> component (within <Link /> component) passing node.authorId as an argument like <User id={authorId} />. User component can useQuery hook with cache-only policy to read user props/fields.
See Apollo docs for details. You should implement this for yourself and document this to help/guide API users.
With JMESPath based on the following:
If the input is
{ "app": { "usertype": "power" } }
I would like to create
{ "output": { "aslist": true } }
If the input is
{ "app": { "usertype": "simple" } }
I would like to create:
{ "output": { "aslist": false } }
I can create the output but not the conditional part. Seems like a simple if then else but I can't find any documentation on that.
Any suggestions?
You can simply use the evaluation of a condition in JMESPath as a value for your resulting JSON.
Given the query:
{output: {aslist: app.usertype == 'power'}}
On your example JSON:
{
"app": {
"usertype": "power"
}
}
This would give
{
"output": {
"aslist": true
}
}
On your example JSON:
{
"app": {
"usertype": "simple"
}
}
This would give
{
"output": {
"aslist": false
}
}
But, of course, since it is a simple evaluation of a condition based on your simplified example it would also give you a false for anything that is not of usertype being power.
I'm developing an app which requires custom permissions on a specific table. I have the following data structure:
Users
-> id
-> name
Accounts
-> id
-> name
UserAccounts
-> userId
-> accountId
-> permissionLevel
permissionLevel is an enum and could be: Owner, ReadAndWrite or ReadOnly.
What I'd like to have is the following:
1) If you're an Owner of a UserAccount, you can invite other users.
2) If you want to create a new Account, you'll get the Owner permission in UserAccounts.
3) You can not add yourself to UserAccounts when you are not the Owner of said Account.
The issue I'm having is I'm not sure on how to solve this in Hasura. I've tried the following Hasura permission (but I'm missing an option to expand the where clause (see below)):
{
"_or": [
{
"_and": [
{
"accountId": {
"_is_null": false
}
},
{
"Account": {
"UserAccounts": {
"_and": [
{
"userId": {
"_eq": "X-Hasura-User-Id"
}
},
{
"permissionLevel": {
"_eq": "Owner"
}
}
]
}
}
}
]
},
{
"_not": {
"_exists": {
"_table": {
"name": "Account",
"schema": "public"
},
"_where": {
"UserAccounts": {
"accountId": {
"_eq": "$accountIdFromQuery" // <-- this does not exist AFAIK
}
}
}
}
}
}
]
}
So I'm at a loss what direction to go. Maybe I'm just missing something, maybe I need to use a custom view or maybe I need to try a custom postgresql function. Any help is greatly appreciated!
For now, my solution is using an event trigger (which triggers an AWS Lambda function) to write into the UserAccounts table with admin privileges. Hasura has documentation on how to achieve this: https://hasura.io/docs/1.0/graphql/manual/event-triggers/serverless.html
I have the following resolver, allowing me to retrieve information about the current user company (companyId is added as a custom field on the cognito user pool). The field on cognito is set to mutable.
{
"version" : "2017-02-28",
"operation" : "GetItem",
"key": {
"id" : $util.dynamodb.toDynamoDBJson($context.identity.claims.get("custom:companyId"))
}
}
This works fine when using the AWS AppSync interface (after login in) as the logs show:
{
"errors": [],
"mappingTemplateType": "Request Mapping",
"path": "[getMyClientCompany]",
"resolverArn": "arn:aws:appsync:eu-west-1:261378271140:apis/rue25cac6jc6vfbhvu32sjafqy/types/Query/fields/getMyClientCompany",
"transformedTemplate": "{\n \"version\" : \"2017-02-28\",\n \"operation\" : \"GetItem\",\n \"key\": {\n \"id\" : {\"S\":\"0c1c81db-a771-4856-9a30-d11bf8e3cab1\"}\n }\n}",
"context": {
"arguments": {},
"source": null,
"result": null,
"error": null,
"outErrors": []
},
"fieldInError": false
}
But doesn't work when the code comes from Amplify-js:
{
"errors": [],
"mappingTemplateType": "Request Mapping",
"path": "[getMyClientCompany]",
"resolverArn": "arn:aws:appsync:eu-west-1:261378271140:apis/rue25cac6jc6vfbhvu32sjafqy/types/Query/fields/getMyClientCompany",
"transformedTemplate": "{\n \"version\" : \"2017-02-28\",\n \"operation\" : \"GetItem\",\n \"key\": {\n \"id\" : {\"NULL\":null}\n }\n}",
"context": {
"arguments": {},
"source": null,
"result": null,
"error": null,
"outErrors": []
},
"fieldInError": false
}
The key that should be "custom:companyId" is "NULL" now
I imagine the issue is either with Amplify (version 0.4.8) or with the cognito user resolver for some reason
Any idea what could be going on?
There are two JWT tokens Cognito may utilize. ID and Access. ID token seems to contain those custom claims.
From Amplify you tweak the Authorization header to use ID token vs Access token.
Here's the code, put it in AWS Amplify configuration:
API: {
graphql_endpoint: 'https://****.appsync-api.***.amazonaws.com/graphql',
graphql_region: '***',
graphql_authenticationType: 'AMAZON_COGNITO_USER_POOLS',
graphql_headers: async () => {
try {
const token = (await Auth.currentSession()).idToken.jwtToken;
return { Authorization: token }
}
catch (e) {
console.error(e);
return {};
// Potentially you can retrieve it from local storage
}
}
}
Note, there seem to be several different keys to configure Amplify keys:
for example, aws_appsync_graphqlEndpoint vs API { graphql_endpoint }, I used the latter.
I am trying to allow specific user to write to Firebase. The issue is that I am getting error:
{
"rules": {
"events": {
".read": true,
".write": "auth.uid = 'google:xxxxxxxx..xx'"
}
}
}
the error that I am getting :
6:18: Rule expressions may not contain assignments.