Prisma

I'm setting up a simple e-commerce app and need to process payment via Stripe, then write a new Order record to the database, with the paymentID from the transaction. I'm worried about permissions...don't want anyone to be able to set the `paid` field to `true` – is there a way to authenticate server-side so that writes can only be done via a server-side function?

Just remove the Update permissions for that type entirely, or remove the Update permissions for that field

But then will the update still work from within a function?

I need to be able to update the record, I just only want it to be possible from within a Resolver function

and sorry for my ignorance...I have a ton of experience with more traditional web apps (e.g. Django, Rails), but am now building my first production app in GraphQL...I've read most of the docs but still have some confusion which I'm sure will be cleared up once I have a little more experience

If you add a root token with the same name as the function the function will have super admin rights and full access to anything, disregarding auth queries :slightly_smiling_face: