Unauthorized - when updating a Many-to-one relationship

[aneaga]

Describe the bug

Having the following schema

Household: a
    .model({
      name: a.string().required(),
      memberUsers: a.hasMany('HouseholdUser', 'householdId'),
    })
    .authorization((allow) => [
      allow.owner().to(['create', 'delete', 'read']),
      allow.authenticated().to(['create', 'read']),
    ]),

  HouseholdUser: a
    .model({
      name: a.string().required(),
      email: a.string().required(),
      householdId: a.id(),
      household: a.belongsTo('Household', 'householdId'),
      role: a.ref('HouseholdUserRole').required(),
      createdTasks: a.hasMany('HouseholdTask', 'createdByUserId'),
      assignedTasks: a.hasMany('HouseholdTask', 'assigneeUserId')
    })
    .authorization((allow) => [
      allow.owner().to(['create', 'delete', 'read']),
      allow.authenticated().to(['create','read']),
    ]),

with

authorizationModes: {
    defaultAuthorizationMode: 'userPool',
  },

Create each entity separately succeeds. However, assigning a user to a household with

let updatedUser = HouseholdUser(
                id: user.id,
                name: user.name,
                email: user.email,
                household: household,
                role: user.role
            )
        let result = try await Amplify.API.mutate(request: .update(updatedUser))

fails with

An unknown error occurred: GraphQLResponseError<HouseholdUser>: GraphQL service returned a successful response containing errors: [Amplify.GraphQLError(message: "Unauthorized on [name, email, householdId, role]", locations: Optional([Amplify.GraphQLError.Location(line: 2, column: 3)]), path: Optional([Amplify.JSONValue.string("updateHouseholdUser")]), extensions: Optional(["data": Amplify.JSONValue.null, "errorType": Amplify.JSONValue.string("Unauthorized"), "errorInfo": Amplify.JSONValue.null]))]
Recovery suggestion: The list of `GraphQLError` contains service-specific messages

Steps To Reproduce

1. Set up an amplify sandbox
2. Set up the schema, as above
3. Signup a new user, log in - all good
4. Create a household entity - all good
5. Try associate the household entity with the user - FAILS

Note that in Dynamo, I do NOT see houseHoldId column in my users table. Other properties are present as columns.

Expected behavior

I expect to be able to associate one entity with the other and have that reflected in Dynamo.

Amplify Framework Version

2.46.1

Amplify Categories

API

Dependency manager

Swift PM

Swift version

6.1

CLI version

12.14

Xcode version

16.3

Relevant log output

Successfully completed execution for Auth.fetchSessionAPI with result
Starting network task for mutation 93771BA6-A5DC-47CB-B3BC-CC0413D845B3
An unknown error occurred: GraphQLResponseError<HouseholdUser>: GraphQL service returned a successful response containing errors: [Amplify.GraphQLError(message: "Unauthorized on [name, email, householdId, role]", locations: Optional([Amplify.GraphQLError.Location(line: 2, column: 3)]), path: Optional([Amplify.JSONValue.string("updateHouseholdUser")]), extensions: Optional(["data": Amplify.JSONValue.null, "errorType": Amplify.JSONValue.string("Unauthorized"), "errorInfo": Amplify.JSONValue.null]))]

Is this a regression?

Yes

Regression additional context

No response

Platforms

No response

OS Version

18.2

Device

Iphone 16 Pro

Specific to simulators

No response

Additional context

No response

[thisisabhash]

Thank you for posting this - someone from the team will take a look and post updates here.

[harsh62]

@aneaga

After reviewing the code and authorization rules, I can identify the key issues:

1. Authorization Rule Mismatch: In the schema, both models (Household and HouseholdUser) have authorization rules that only allow the owner to perform 'create', 'delete', and 'read' operations - but not 'update' operations. The 'update' operation is missing from both authorization rules.
2. Update Operation Restriction: When the user tries to update a HouseholdUser to set the household relationship, they're attempting an update operation that isn't explicitly allowed by their authorization rules.
3. Field-level Authorization: The error specifically mentions being unauthorized on fields "name, email, householdId, role", which are all the fields being included in the update mutation.

Solution

To fix this issue, the authorization rules need to be updated to explicitly allow the 'update' operation for the owner. Here's how to fix it:
Update the schema to include 'update' in the operations list for both models:

Household: a
  .model({
    name: a.string().required(),
    memberUsers: a.hasMany('HouseholdUser', 'householdId'),
  })
  .authorization((allow) => [
    allow.owner().to(['create', 'update', 'delete', 'read']), // Added 'update'
    allow.authenticated().to(['create', 'read']),
  ]),

HouseholdUser: a
  .model({
    name: a.string().required(),
    email: a.string().required(),
    householdId: a.id(),
    household: a.belongsTo('Household', 'householdId'),
    role: a.ref('HouseholdUserRole').required(),
    createdTasks: a.hasMany('HouseholdTask', 'createdByUserId'),
    assignedTasks: a.hasMany('HouseholdTask', 'assigneeUserId')
  })
  .authorization((allow) => [
    allow.owner().to(['create', 'update', 'delete', 'read']), // Added 'update'
    allow.authenticated().to(['create', 'read']),
  ]),

NOTE

Default Operations: If you don't specify operations in the authorization rules, Amplify defaults to allowing all operations ([.create, .update, .delete, .read]). In this case, operations were explicitly set without 'update'.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.