The Need for Update auth after logic

Continuing the discussion from Mutations - Graphql:

Is this still in development? I would like this to be in the auth directive itself and not stuck in a JS Hook. Right now I can prevent a user from adding content as another user with the add rules, but the user can add data as their own and then update it to belong to a different user. This is a security whole as we do not want to allow users updating data and removing them as the author and assigning somebody else to make it appear that the other user is the original author.


This will be possible once we introduce JS Hooks. But we may need to decide if we want to add this in auth directly. Let me have a discussion with the team and update you if we plan to do it in the upcoming release.
cc: @pawan

What’s the status on this? I have the same questions

1 Like

Looks like it’s on the roadmap

What are you using to prevent users from changing owners right now?

Good faith and GUI :grimacing:


Can we please get this implemented! This desperately needs to be added to the @auth directly. Without this, it makes the add @auth pointless, as I can simply add something and change it later.

It should be a simple fix as you already have before and after validation in the code. I believe this should be moved to the TOP of priorities.

It also opens up a can of new features as I mentioned here when it comes do validation.

Please and thank you!



No, hooks are a different feature, and only one of the two was actually added.