问题描述
`User does not have permissions to perform administrative tasks`
当我尝试更新 AdminQueries Auth 的权限时,我只能选择一个组。
我需要使用这两个组访问此 AdminQueries。
在 Amplify 中可以吗?
解决方法
不幸的是,看起来没有办法通过 CLI 做到这一点;但是,您应该能够通过编辑 ./amplify/backend/function/AdminQueries
在 src 目录中,您将看到一个 app.js 文件,这是 checkGroup 功能所在的位置。在该文件的第 45 行,您通过 CLI 指定的允许组从环境中拉入。此后,从第 47 行开始,服务运行一系列检查以确定它是否应该授权请求。您将要更改从第 57 行开始的默认实现(复制如下)
// Only perform tasks if the user is in a specific group
const allowedGroup = process.env.GROUP;
const checkGroup = function(req,res,next) {
if (req.path == '/signUserOut') {
return next();
}
if (typeof allowedGroup === 'undefined' || allowedGroup === 'NONE') {
return next();
}
// Fail if group enforcement is being used
if (req.apiGateway.event.requestContext.authorizer.claims['cognito:groups']) {
const groups = req.apiGateway.event.requestContext.authorizer.claims['cognito:groups'].split(',');
if (!(allowedGroup && groups.indexOf(allowedGroup) > -1)) {
const err = new Error(`User does not have permissions to perform administrative tasks`);
next(err);
}
} else {
const err = new Error(`User does not have permissions to perform administrative tasks`);
err.statusCode = 403;
next(err);
}
next();
};