fix: User revoke own session

Description of changes: Fix issue with a user being able to revoke their own session. Added 'update' permissions to owners for the 'revokerId' field. By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
aws-samples · Jan 31, 2025 · 96f85d0 · 96f85d0
1 parent fcc0133
commit 96f85d0
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/amplify/backend/api/team/schema.graphql b/amplify/backend/api/team/schema.graphql
@@ -95,7 +95,7 @@ type requests
   @auth(
     rules: [
       { allow: groups, groups: ["Auditors"], operations: [read] }
-      { allow: owner, operations: [read]}
+      { allow: owner, operations: [read, update]}
       { allow: owner, ownerField: "approver_ids", operations: [update,read] }
       { allow: private, provider: iam, operations: [read, update] }
     ]
@@ -369,4 +369,4 @@ type Query {
   validateRequest: requests
     @function(name: "teamvalidateRequest-${env}")
     @auth(rules: [{ allow: private }])
-}
+}