That’s the issue right. For add, you get an auth error. For delete, you don’t get the error, but it doesn’t do anything. It should either be silent in both, or be sending errors in both (also, in delete operations).
The error on deleteType is a bug. No error and an empty result should have been returned there if you don’t have permissions. We have created a JIRA ticket for it and @arijit is looking into fixing this.
For addType mutation, we should change the behaviour to not return an authorization error. This would make the behaviour consistent with that of update and delete. Adding this to our backlog.
The other approach would have been to return auth errors from update/delete mutations. That would have leaked information about the data that is there even though the user doesn’t have permission to it. Since this is not considered as a good security practice, we have decided against it.