What is the best practise for Mutation Connect Types is Authorized by User?



Hi all,

I really wonder the best way of creating advanced mutations with relation types. Please let me explain my question clearly.

Imagine that, I have 3 types which names are Account and Account Group and User. Each user can create their own accounts and account groups.

Now lets think, one user want to create account and he will select account group to create account.

In this point I normally pass accountGroupID to createAccount mutation and used connect keyword to bind account and account group, it works fine.

The problem is that, i have to check that account group is created by this user or not.

There are too many this kind of relation in my API. What is the best way of checking this kind of relations before send mutation?



You will need to fetch the account group first to do a check. It is the standard way of doing this.

If you want to reuse this logic, use graphql-shield: https://github.com/maticzav/graphql-shield


Thank you for your answer @pantharshit00,

I also thought like you and used graphql-shield to check endpoints about relation verification.
For now, I used different functions for each relation and check user has right to access this or not.
For future, I am thinking to write dynamic function to do that,

Now the basic implementation like below; it may help other people;

This is the endpoint shield logic,

updateCategory: and(isAuthenticated, isOwnerOfCategory, isOwnerOfCategoryParentRelation),

And function is like that;

const isOwnerOfCategoryRelation = rule()(async (parent, args, { currentUser }) => {

const category = await categoryDataAccess.getCategoryById(args.data.category.connect.id);

let result = false;

if (category && category.user.id === currentUser.id) {

result = true;


log.info(`graphql-shield isOwnerOfCategoryRelation: ${result}`);

return result;



This topic was automatically closed 45 days after the last reply. New replies are no longer allowed.