Securing Fields
Now that we have a way to get the current user, we have what we need to enforce authorization on particular fields: we can just check the context. Having the current user also gives us the ability to retrieve associated records in our resolvers, returning information specific to the user.
Inline Authorization
Before we let customers anywhere near this API, we need to put some authorization checks between the current user and the variety of important actions our API can perform. Just as we did before, the most direct way to do this is to use the third argument to each resolver to pattern match for the desired case.
Let’s start by securing the :create_menu_item resolver, as we really don’t want to let customers run wild with that ...
Get Craft GraphQL APIs in Elixir with Absinthe now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.