I have the following schema where the author of an Event can make notes on the Event. Only the author of the event should be able to create notes. I store the author in the Event. However, I'm finding other users are able to create a note on an event they didn't author by simply passing the eventId of an another users event, like so:
mutation {
noteOnEvent(input: { eventId: "***", content: "A comment"}) {
eventId
content
}
}
How can i prevent this? I don't see a way to access the EventTable author to in the noteOnEvent resolver
Schema
type Note {
eventId: ID!
notetId: ID!
content: String
author: String
}
input CreateNoteInput {
eventId: ID!
noteId: String!
content: String
}
type Event {
id: ID!
name: String
author: String
notes: [Note]
}
You can accomplish this using a Nested Resolver.
If you modify your schema slightly, you can accomplish it like so:
type EventCheckedNote {
// Add a resolver on note which creates the note. The event will be available as $cxt.source, and you can make an authZ check before making the mutation.
note: Note
}
type Mutation {
// Add a resolver on noteOnEvent which queries the Event table.
noteOnEvent(input: CreateNoteInput!): EventCheckedNote
}
Here is a tutorial on using nested resolvers to perform authorization checks with multiple data sources involved: https://hackernoon.com/graphql-authorization-with-multiple-data-sources-using-aws-appsync-dfae2e350bf2