How do I write permission queries that spans multiple types?

framework

#1

I have the following schema: (types.graphql)

type Recruitment @model {
  applications: [Application!]! @relation(name: "RecruitmentApplications")
  company: Company! @relation(name: "RecruitmentCompany")
  documents: [Document!]! @relation(name: "RecruitmentDocuments")
  id: ID! @isUnique
  jobAd: JobAd @relation(name: "RecruitmentAd")
  jobBranch: String
  merits: String
  process: [ProcessStep!]! @relation(name: "RecruitmentProcess")
  profile: Json
  profileFile: File @relation(name: "RecruitmentRequirements")
  recruiter: User! @relation(name: "Recruiter")
  recruiterExternal: [User!]! @relation(name: "RecruiterExternal")
  recruiterGuest: [User!]! @relation(name: "RecruiterGuest")
  region: String!
  requirements: String
  selection: [Question!]! @relation(name: "RecruitmentSelection")
  state: RecruitmentState
  symbols: [Symbol!]! @relation(name: "RecruitmentSymbols")
  title: String
}

type User @model {
  address: Address @relation(name: "UserAddress")
  adminCompany: Company @relation(name: "CompanyAdmin")
  candidate: Candidate @relation(name: "UserCandidate")
  companyContacts: [Company!]! @relation(name: "JobbetContacts")
  contactCompany: Company @relation(name: "CompanyContacts")
  createdAt: DateTime!
  email: String @isUnique
  employer: Company @relation(name: "EmployeeEmployer")
  externalRecruitments: [Recruitment!]! @relation(name: "RecruiterExternal")
  firstName: String
  guestRecruitments: [Recruitment!]! @relation(name: "RecruiterGuest")
  id: ID! @isUnique
  lastName: String
  mobile: String
  name: String
  password: String!
  personNumber: String
  phone: String
  picture: File @relation(name: "PictureFile")
  recruitments: [Recruitment!]! @relation(name: "Recruiter")
  role: UserRole
  siteAdmin: Boolean! @defaultValue(value: false)
  superAdmin: Boolean! @defaultValue(value: false)
  updatedAt: DateTime!
}

enum UserRole {
  SITEADMIN
  SUPERADMIN
  ADMINISTRATOR
  RECRUITER
  VIEWER
  CANDIDATE
}

I want to write a permission query for operation Recruitment.read that allows users with role SITEADMIN or SUPERADMIN to see all recruitments and allows everyone else to see only active recruitments.

This is my try to create the permission query:

query PermitRecruitmentRead($user_id: ID!, $node_id: ID!) {
  SomeUserExists(filter: {
    id: $user_id
    role_in: [SUPERADMIN, SITEADMIN]
  })
  SomeRecruitmentExists(filter: {
    id: $node_id
    state: ACTIVE
  })
}

Outcome: Admins can see active recruitments
Expected outcome: Admins can see all recruitments and everyone else can only see active recruitments