The Need for Update auth after logic

Continuing the discussion from Mutations - Graphql:

Is this still in development? I would like this to be in the auth directive itself and not stuck in a JS Hook. Right now I can prevent a user from adding content as another user with the add rules, but the user can add data as their own and then update it to belong to a different user. This is a security whole as we do not want to allow users updating data and removing them as the author and assigning somebody else to make it appear that the other user is the original author.


This will be possible once we introduce JS Hooks. But we may need to decide if we want to add this in auth directly. Let me have a discussion with the team and update you if we plan to do it in the upcoming release.
cc: @pawan

What’s the status on this? I have the same questions

1 Like

Looks like it’s on the roadmap

What are you using to prevent users from changing owners right now?

Good faith and GUI :grimacing: