-
Notifications
You must be signed in to change notification settings - Fork 5
Mutation Authorization Guidlines
Adam Coffman edited this page Mar 2, 2021
·
1 revision
What goes in ready?
- User must be logged in
- Arguments/ids must exist in the db
- Entities must be in a valid state to attempt the mutation (rejecting a change that's already rejected should fail for instance)
- Does a user have multiple orgs? If so, they must provide one
What goes in authorized?
- Given that the request is valid, can this particular user do this particular thing? (Can user 2 reject evidence item 3?)
- If an org id is supplied to act on behalf of, is the user in that org?
What goes in resolve
- Error handling for the actual action attempted