Anyone can add child records to a parent model

[karldanninger]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React

Amplify APIs

GraphQL API

Amplify Version

v6

Amplify Categories

api

Backend

Amplify CLI

Environment information

System:
    OS: macOS 13.3.1
    CPU: (10) arm64 Apple M1 Max
    Memory: 301.92 MB / 32.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 20.10.0 - ~/.nvm/versions/node/v20.10.0/bin/node
    Yarn: 1.22.22 - /opt/homebrew/bin/yarn
    npm: 10.3.0 - ~/.nvm/versions/node/v20.10.0/bin/npm
    pnpm: 9.10.0 - ~/.nvm/versions/node/v20.10.0/bin/pnpm
  Browsers:
    Chrome: 129.0.6668.90
    Safari: 16.4
  npmPackages:
    @aws-amplify/datastore: 5.0.53 => 5.0.53
    @biomejs/biome: ^1.9.2 => 1.9.2
    @dnd-kit/core: ^6.1.0 => 6.1.0
    @dnd-kit/sortable: ^8.0.0 => 8.0.0
    @dnd-kit/utilities: ^3.2.2 => 3.2.2
    @fontsource/inter: ^5.1.0 => 5.1.0
    @mailerlite/mailerlite-nodejs: ^1.2.2 => 1.3.0
    @nextui-org/react: ^2.4.8 => 2.4.8
    @parcel/watcher: ^2.4.1 => 2.4.1
    @segment/analytics-next: ^1.72.2 => 1.72.2
    @sentry/react: ^6.18.2 => 6.19.7
    @sentry/tracing: ^6.18.2 => 6.19.7
    @tanstack/react-query: ^5.56.1 => 5.56.2
    @tanstack/react-router: ^1.57.15 => 1.57.15
    @tanstack/router-devtools: 1.57.15 => 1.57.15
    @tanstack/router-plugin: 1.57.15 => 1.57.15
    @tanstack/router-valibot-adapter: ^1.58.3 => 1.58.3
    @types/draft-js: ^0.11.18 => 0.11.18
    @types/node: ^22.5.5 => 22.5.5
    @types/react: ^18.3.5 => 18.3.6
    @types/react-dom: ^18.3.0 => 18.3.0
    @types/react-helmet: ^6.1.11 => 6.1.11
    @types/sanitize-html: ^2.13.0 => 2.13.0
    @types/styled-components: ^5.1.34 => 5.1.34
    @vis.gl/react-google-maps: ^1.0.0 => 1.1.3
    @vitejs/plugin-react-swc: ^3.7.0 => 3.7.0
    autoprefixer: ^10.4.20 => 10.4.20
    aws-amplify: 6.6.4 => 6.6.4
    aws-sdk: 2.1691.0 => 2.1691.0
    babel-plugin-require-context-hook: ^1.0.0 => 1.0.0
    clsx: ^2.1.1 => 2.1.1
    cookie: ^0.6.0 => 0.6.0
    date-fns: ^2.28.0 => 2.30.0
    dayjs: ^1.11.13 => 1.11.13
    draft-convert: ^2.1.12 => 2.1.13
    draft-js: ^0.11.7 => 0.11.7
    escape-html: ^1.0.3 => 1.0.3
    framer-motion: ^11.5.6 => 11.5.6
    geojson: ^0.5.0 => 0.5.0
    globals: ^15.9.0 => 15.9.0
    google-map-react: ^2.2.1 => 2.2.1
    graphql: 16.8.1 => 16.8.1
    graphql-tag: ^2.12.6 => 2.12.6
    html2canvas: ^1.4.1 => 1.4.1
    identity-obj-proxy: ^3.0.0 => 3.0.0
    immer: ^10.1.1 => 10.1.1
    js-cookie: ^3.0.1 => 3.0.5
    lucide-react: ^0.445.0 => 0.445.0
    papaparse: ^5.3.1 => 5.4.1
    patch-package: ^6.4.7 => 6.5.1
    postcss: ^8.4.47 => 8.4.47
    query-string: ^7.1.1 => 7.1.3
    react: ^18.2.0 => 18.3.1
    react-color: ^2.19.3 => 2.19.3
    react-dom: ^18.2.0 => 18.3.1
    react-dom-confetti: ^0.2.0 => 0.2.0
    react-dropzone: ^14.2.3 => 14.2.3
    react-ga4: ^2.1.0 => 2.1.0
    react-geocode: ^0.2.3 => 0.2.3
    react-helmet: ^6.1.0 => 6.1.0
    react-slick: ^0.29.0 => 0.29.0
    react-sortablejs: ^6.1.4 => 6.1.4
    react-test-renderer: ^18.2.0 => 18.3.1
    remeda: ^2.12.0 => 2.12.1
    sanitize-html: ^2.13.0 => 2.13.0
    simplify-js: ^1.2.4 => 1.2.4
    slick-carousel: ^1.8.1 => 1.8.1
    sonner: ^1.5.0 => 1.5.0
    sortablejs: ^1.15.2 => 1.15.3
    styled-components: ^5.3.3 => 5.3.11
    supercluster: B0rk3/supercluster => 8.0.0
    tailwind-merge: ^2.5.2 => 2.5.2
    tailwindcss: ^3.4.13 => 3.4.13
    touch: ^3.1.0 => 3.1.1
    typescript: 5.6.2 => 5.6.2
    use-supercluster: ^0.4.0 => 0.4.0
    uuid: ^8.3.2 => 8.3.2
    valibot: ^0.42.0 => 0.42.0
    vite: ^5.4.5 => 5.4.5
    vite-bundle-visualizer: ^1.2.1 => 1.2.1
    vite-plugin-pwa: ^0.20.5 => 0.20.5
    vite-tsconfig-paths: ^5.0.1 => 5.0.1
    vitest: ^1.3.1 => 1.6.0
    workbox-core: ^7.1.0 => 7.1.0
    workbox-precaching: ^7.1.0 => 7.1.0
    workbox-routing: ^7.1.0 => 7.1.0
    workbox-window: ^7.1.0 => 7.1.0
  npmGlobalPackages:
    corepack: 0.22.0
    npm: 10.3.0
    pnpm: 9.10.0
    typescript: 5.4.5

Describe the bug

Anyone (authenticated) can create a child Task of a Todo owned by someone else.
Is there a way to prevent this?

Expected behavior

Adding a Task to a Todo owned by someone else should return 'Unauthorized'.

Reproduction steps

Outlined below in code snippet.

Code Snippet

schema.graphql

type Todo @model @auth(rules: [{ allow: public, operations: [read] }, { allow: owner, ownerField: "ownerField" }]) {
  # Keys, Indexes
  id: ID! @primaryKey
  # Connections
  tasks: [Task] @hasMany(indexName: "tasksByTodo", fields: ["id"])
  # Fields
  ownerField: String
  description: String

type Task @model
  @auth(rules: [
    { allow: public, operations: [read] },
    { allow: owner, ownerField: "owner", operations: [create, read, update, delete] },
  ]) {
  # Keys, Indexes
  id: ID! @primaryKey
  taskTodoId: ID! @index(name: "tasksByTodo")
  # Connections
  todo: Todo @belongsTo(fields: ["taskTodoId"])
  comments: [Comment] @hasMany
  # Fields
  name: String
  owner: String
  note: String

running a createTask query on the client as any authenticated user

const task = {
 name: "Untitled Task,
 taskTodoId: {{ANYBODY ELSES TODO ID}}
};

const addTask = await API.client.graphql<any>({
  query: createTask,
    variables: {
      input: task,
    },
    authMode: "userPool",
  });

Log output

// Put your logs below this line

aws-exports.js

const awsmobile = {
    "aws_project_region": "us-east-1",
    "aws_appsync_graphqlEndpoint": "https://xxx.appsync-api.us-east-1.amazonaws.com/graphql",
    "aws_appsync_region": "us-east-1",
    "aws_appsync_authenticationType": "API_KEY",
    "aws_appsync_apiKey": "xxx",
    "aws_cloud_logic_custom": [
        {
            "name": "mailerApi",
            "endpoint": "https://xxx.execute-api.us-east-1.amazonaws.com/karl",
            "region": "us-east-1"
        },
        {
            "name": "subscriptionApi",
            "endpoint": "https://xxx.execute-api.us-east-1.amazonaws.com/karl",
            "region": "us-east-1"
        }
    ],
    "aws_cognito_identity_pool_id": "us-east-1:xxx",
    "aws_cognito_region": "us-east-1",
    "aws_user_pools_id": "us-east-1_xxx",
    "aws_user_pools_web_client_id": "xxx",
    "oauth": {},
    "aws_cognito_username_attributes": [],
    "aws_cognito_social_providers": [],
    "aws_cognito_signup_attributes": [
        "EMAIL"
    ],
    "aws_cognito_mfa_configuration": "OFF",
    "aws_cognito_mfa_types": [
        "SMS"
    ],
    "aws_cognito_password_protection_settings": {
        "passwordPolicyMinLength": 8,
        "passwordPolicyCharacters": []
    },
    "aws_cognito_verification_mechanisms": [
        "EMAIL"
    ],
    "aws_user_files_s3_bucket": "markerimagesxxx-karl",
    "aws_user_files_s3_bucket_region": "us-east-1"
};

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[chrisbonifacio]

Hi @karldanninger 👋 Thanks for raising this issue!

To reproduce this issue, I deployed the shared schema and I tried creating some todos as User A with no tasks.
Then, I created a task, setting taskTodoId to the id of a todo created by User A.

I was not able to view the task as User A on a refetch of Todos and their tasks:

User A listTodos Query

I can view the task as User B. However, I am not able to query the Todo owned by User A even though I have access to the Task.

User B listTasks Query

As a guest (API KEY) user, I am able to see the task created by User B on User A's todo:

I'm not sure if this is a bug exactly, these responses make sense considering the auth rules. Owner Auth prevents one particular authenticated user from accessing or manipulating another user's. However, the behavior of creating a relationship between records different users own does seem to occur. I will bring this to the team for further investigation and/or discussion.

[chrisbonifacio]

Hi @karldanninger, after discussing with the team, this is expected behavior but could potentially be mitigated by extending the auto-generated resolvers and slotting in a custom resolver into the pipeline that fetches the Todo and then compares the owner in the createTask input to the Todo owner.

For more information on how to slot in resolvers, please refer to the Gen 1 documentation:
https://docs.amplify.aws/gen1/react/build-a-backend/graphqlapi/custom-business-logic/#extend-amplify-generated-resolvers

Slotting in resolvers is not currently supported in Gen 2.

Lastly, I transferred this issue over from the amplify-js repo to amplify-category-api as it is more related to the data category at build-time.

[AnilMaktala]

Hey 👋 , This issue is being closed due to inactivity. If you are still experiencing the same problem and need further assistance, please feel free to leave a comment. This will enable us to reopen the issue and provide you with the necessary support.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.