fix: add callout for delete mutation permissions (#4973)

phani-srikar · Rachel Lee Nabors · commit f699dc976b3e · 2023-04-04T16:56:45.000-07:00
* fix: add callout for delete mutation permissions

* fix: minor nits
diff --git a/src/pages/cli/graphql/authorization-rules.mdx b/src/pages/cli/graphql/authorization-rules.mdx
@@ -321,6 +321,27 @@ In the example above:
 - **any signed in user** is allowed to read the list of employees' `name` and `email` fields
 - **only the employee/owner themselves** have CRUD access to their `ssn` field
 
+<Callout warning>
+
+To prevent unintended loss of data, the user or role that attempts to `delete` a record should have delete permissions on every field of the `@model` annotated GraphQL type.
+For example, in the schema below: 
+```graphql
+type Todo @model @auth(rules: [
+  { allow: private, provider: iam }, 
+  { allow: groups, groups: ["Admin"] }
+]) {
+ id: ID!
+ name: String! @auth(rules: [
+   { allow: private, provider: iam }, 
+   { allow: groups, groups: ["Admin"] }
+ ])
+ description: String @auth(rules: [{ allow: private, provider: iam }])
+}
+```
+Since the `description` field is not accessible by "Admin" Cognito group users, they cannot delete any `Todo` records.
+
+</Callout>
+
 ## Advanced
 
 ### Review and print access control matrix
