When I create an auth rule using an extremely basic traversal filtering on the id of the entity itself, the result is that all resources of that entity type are allowed.
type Thing @auth(query: { rule: """
query ($THING_ID) {
queryThing (filter: { id: [$THING_ID] }) { id }
}
"""}) {
id: String!
property: String
}
Expected behavior:
This should mean that as long as THING_ID is one of the auth claims in the token, this should grant access to only the Thing which has the id with the value of THING_ID.
Actual behavior:
All Thing resources are able to be accessed. When the rule is combined using or
with other (functioning) restrictive rules, it removes all restrictions, granting access to all Things.
Other notes:
I noticed that this was supposedly fixed for v21.03, but that is the version I’m using, and it doesn’t seem to be fixed.
EDIT: I mistyped above earlier. I did, in fact, specify the rule for query, add, update, and delete. It does not work. I should mention that I have created other complicated sets of @auth rules which work well. This particular one, which is much simpler than most of my rules, does not work.