Is it possible to have auth rules requiring authenticated users to belong to multiple groups? For example "allow users who are in 'Tenant N' AND who are 'Editors'".
Our models are currently similar to this:
type MyModel
@model
@auth(rules: [
{ allow: owner },
{ allow: groups, groupsField: "tenantID" },
])
{
id: ID!
tenantID: String!
}
So using static group auth doesn't work for us:
type MyModel
@model
@auth(rules: [
{ allow: groups, groups: ["DynamicTenantId", "Editor"] }
])
{
id: ID!
tenantID: String!
}
Because tenantID is a dynamic value, we need to use dynamic group auth instead:
type MyModel
@model
@auth(rules: [
{ allow: owner },
{ allow: groups, groupsField: "tenantID" },
{ allow: groups, group: "Editor" },
])
{
id: ID!
tenantID: String!
}
But this doesn't work because it's an "OR", saying "allow anyone in the tenant OR anyone with the 'Editor' group".
Updating our models to use single dynamic group auth field doesn't work either:
type MyModel
@model
@auth(rules: [
{ allow: owner },
{ allow: groups, groupsField: "allowGroups" },
])
{
id: ID!
allowGroups: [String] # ['DynamicTenantId', 'Editor']
}
Because this an "OR" too, saying "allow anyone in the tenant OR anyone with the 'Editor' group".
Are there any other options, aside from a custom authenticator, to require multiple group membership?
