User doesn't have permissions anymore

Bugs
1

Hi, I want to report a bug, when I create a user I have to use an authProfile, and the authProfile has a role, the problem is that if a delete a role, all the users that had that role don’t have permissions anymore to execute mutations or queries with their token, even if a assign a new role to the authProfile, it is always saying “you don’t have permission to perform this operation”

Screen Shot 2022-03-25 at 08.42.04
Screen Shot 2022-03-25 at 08.42.041240×798 51.5 KB

2

Don’t get why this should be considered a bug.

  1. Every authProfile has a role, it means every new user signed up with this authProfile will have it.
  2. Assigning new role to the authProfile doesn’t connect it for old users.
  3. If you delete a role that have been already assigned to users - they’ll lose their permissions - it is expected.
3

so, is there any way to give a solution to this?
What if a need to delete a role and assign a new one to the authProfile without making the users have this problem

4

Hey Jeff - this is the expected behavior, though I think I can help by explaining the role of Auth Profiles and then how to approach the Role reassignment.

Auth Profiles are essentially a mapping between an Authentication Provider and incoming bearer tokens (JWTs). The Roles (0 or more) added to an Auth Profile are in no way associated with the Users who were signed up via that Auth Profile. Instead, that’s more of a convience factor that says, “when a new user signs up, we can associate these roles to them.”

In every Workspace, there’s a Users table and a Roles table that have a many to many relationship between them. This is ALL that matters when it comes to which User has which Role. Auth Profiles are only a short cut to setting these associations at 1 point in the user sign up flow.

Now, with that said, there are a dozen ways to connect, reconnect, and disconnect Roles via the GraphQL API! IN In your case, I’d perform a small migration where I’d:

  1. Query the OldRole BEFORE DELETING and get a list of all its Users IDs.

  2. Perform an roleUpdate mutation on the NewRole that reconnects (or connects, if it has no users) all it’s Users using the IDs list.

  3. Delete the OldRole.

Please let me know if this makes sense or helps.