vdelacou · January 26, 2020 14:30
diff --git a/schema.graphql b/schema.graphql
 """
 A workspace is use as a tenant for our project<br>
 The workspace could contains all informations related to your tenant. (eg: payment, integrations, ect ...)<br>
 Only the owner can manage the workspace<br>
 Only the owner can manage the list of users whom can access the workspace<br>
 The workspace users can only read the workspace<br>
 On Token generation, the list of your own workspace and the list of the workspaces you are an user will be added to the custom claims<br>
 The Admin can access to all, even if he is not owner or user of a workspace<br>
 """
 type WorkSpace
  @model(subscriptions: null)
  @key(fields: ["owner", "id"])
  @key(name: "WorkSpaceByOwner", fields: ["owner", "updatedAt"], queryField: "getWorkSpaceByOwner") 
  @auth(
    rules: [
      # We will use it in the pre-token generation lambda
      { allow: private, provider: iam, operations: [read] }
      # Allow the users in the Admin Group to do all
      { allow: groups, groups: ["Admin"], operations: [create, update, delete, read] }
      # Allow the owner to do all
      { allow: owner, ownerField: "owner", operations: [create, update, delete, read]}
      # Allow the owner or the users of the workspace to manage the entity
      { allow: groups, groupsField: "id", operations: [read] }
    ]
  ) 
  {
    """
    The userId of the owner of the workspace<br>
    """
    owner: String!
    """
    The id<br>
    """
    id: ID!
    """
    The workspace title<br>
    """
    title: String!
    """
    The workspace update time<br>
    """
    updatedAt: AWSDateTime
  }

 type WorkSpaceUser
  @model
  @key(name: "WorkSpaceUserByUser", fields: ["user", "updatedAt"], queryField: "getWorkSpaceUserByUser")
  @auth(
    rules: [
      # We will use it in the pre-token generation lambda
      { allow: private, provider: iam, operations: [read] }
      # Allow the users in the Admin Group to do all
      { allow: groups, groups: ["Admin"], operations: [create, update, delete, read] }
      # Allow the owner to do all
      { allow: owner, ownerField: "workspaceOwner", operations: [create, update, delete, read] }
      # Allow the owner or the users of the workspace to manage the entity
      { allow: owner, ownerField: "user", operations: [read] }
    ]
  ) 
  {
    user: String!
    workspaceOwner: String!
    workspaceId: ID!
    workSpace: WorkSpace @connection(fields: ["workspaceOwner","workspaceId"])
    updatedAt: AWSDateTime
  }

 """
 Just an example to show how to restrict access to data within a WorkSpace<br>
 During token generation we add in the group claim all the workspaceId<br>
 The limit is 25 groups for one user<br>
 """
 type Todo 
  @model 
  @auth (
    rules: [
      # Allow the owner or the users of the workspace to manage the entity
      { allow: groups, groupsField: "workspace", operations: [create, update, delete, read] }
    ]
 ) 
  {
    id: ID!
    name: String!
    workspace: String
  }
	"""
	A workspace is use as a tenant for our project<br>
	The workspace could contains all informations related to your tenant. (eg: payment, integrations, ect ...)<br>
	Only the owner can manage the workspace<br>
	Only the owner can manage the list of users whom can access the workspace<br>
	The workspace users can only read the workspace<br>
	On Token generation, the list of your own workspace and the list of the workspaces you are an user will be added to the custom claims<br>
	The Admin can access to all, even if he is not owner or user of a workspace<br>
	"""
	type WorkSpace
	@model(subscriptions: null)
	@key(fields: ["owner", "id"])
	@key(name: "WorkSpaceByOwner", fields: ["owner", "updatedAt"], queryField: "getWorkSpaceByOwner")
	@auth(
	rules: [
	# We will use it in the pre-token generation lambda
	{ allow: private, provider: iam, operations: [read] }
	# Allow the users in the Admin Group to do all
	{ allow: groups, groups: ["Admin"], operations: [create, update, delete, read] }
	# Allow the owner to do all
	{ allow: owner, ownerField: "owner", operations: [create, update, delete, read]}
	# Allow the owner or the users of the workspace to manage the entity
	{ allow: groups, groupsField: "id", operations: [read] }
	]
	)
	{
	"""
	The userId of the owner of the workspace<br>
	"""
	owner: String!
	"""
	The id<br>
	"""
	id: ID!
	"""
	The workspace title<br>
	"""
	title: String!
	"""
	The workspace update time<br>
	"""
	updatedAt: AWSDateTime
	}

	type WorkSpaceUser
	@model
	@key(name: "WorkSpaceUserByUser", fields: ["user", "updatedAt"], queryField: "getWorkSpaceUserByUser")
	@auth(
	rules: [
	# We will use it in the pre-token generation lambda
	{ allow: private, provider: iam, operations: [read] }
	# Allow the users in the Admin Group to do all
	{ allow: groups, groups: ["Admin"], operations: [create, update, delete, read] }
	# Allow the owner to do all
	{ allow: owner, ownerField: "workspaceOwner", operations: [create, update, delete, read] }
	# Allow the owner or the users of the workspace to manage the entity
	{ allow: owner, ownerField: "user", operations: [read] }
	]
	)
	{
	user: String!
	workspaceOwner: String!
	workspaceId: ID!
	workSpace: WorkSpace @connection(fields: ["workspaceOwner","workspaceId"])
	updatedAt: AWSDateTime
	}

	"""
	Just an example to show how to restrict access to data within a WorkSpace<br>
	During token generation we add in the group claim all the workspaceId<br>
	The limit is 25 groups for one user<br>
	"""
	type Todo
	@model
	@auth (
	rules: [
	# Allow the owner or the users of the workspace to manage the entity
	{ allow: groups, groupsField: "workspace", operations: [create, update, delete, read] }
	]
	)
	{
	id: ID!
	name: String!
	workspace: String
	}