Field-level authorization with Amplify GrraphQL

Question

I'm having trouble sorting out field-level authorization. I would like to have a particular field in a model be read-only.

Here's a simplified version of the schema:

type Thing
  @model
  @auth(
    rules: [
      {
        allow: groups
        groups: ["Admins"]
        operations: [read, create, update]
      }
      { allow: private, operations: [read]}
    ]
  ) {
  id: ID!
  foo: String
  bar: String
  baz: ID
    @auth(
      rules: [
        { allow: groups, groups: ["Admins"], operations: [read] }
      ]
    )
}

My expectation is that all users would be able to read foo, bar, and baz, but only members of Admins would be able to update foo and bar, but that not even Admins would be allowed to update baz. I'm finding, however, that Admins are still able to write to baz, which I do not want.

I would think that field-level rules would have precedence over model-level rules.

Is such a thing possible?

Answer 1

It does appear to be possible, from the docs:

When an authorization rule is added to a field, it'll strictly define the authorization rules applied on the field. Field-level authorization rules do not inherit model-level authorization rules. Meaning, only the specified field-level authorization rule is applied.

It seems like if you add a field-level rule the model ignores whatever authorizations you have at the model-level. There are several examples here for good reference: https://docs.amplify.aws/cli-legacy/graphql-transformer/auth/#field-level-authorization

As far as the issue you are seeing, not sure, seems like you've set it up correctly, maybe there's another issue here?