hi folks! I have the following datamodel.prisma:

type Business {
    id: ID! @id
    stores: [Store]
}

type Store {
    id: ID! @id
    name: String!
    business: Business!
}

I want to have a single mutation for updating both the

Business

and

Store

where the

Business

serves as the entrypoint like so:

updateBusiness(
    data: {
        stores: {
            create: {
                name: 'My store'
            }
        }
    },
    where: {
        id: 'some_business_id'
    }
) {
    id
    stores {
        name
        business {
            id
        }
    }
}

this works really well and I enjoy working with nested mutations. it makes the code much simpler. my challenge is how I implement authorization with this model. imagine a

Person

that is a member of a specific `Business`: I need to avoid that this

Person

creates a new

Business

or connects a

Store

from another

Business

. it's easy to add authorization on the

updateBusiness

mutation entrypoint via e.g. graphql-shield but once the

Person

clears the initial check, the

Person

can do whatever he/she wants via nested mutations further down. should I just drop using nested mutations or is there a neat solution to this via e.g. graphq-shield? I've managed to find a few people having the same issue but I don't see a good solution: https://github.com/prisma/prisma/issues/3901

You should perform all the checks before executing this mutation. You can use graphql shields

and

helper and can perform multiple checks. That is how most authorization system works which is a precheck.

ok. I just fear it will be a bit flaky since nested mutations can be nested super deep. and I might end up having to hydrate hundreds of nodes to make sure you can connect/disconnect/update/create X, Y or Z. but I guess that's the only way to do it and then have some sort of cache to optimize hydration

nested mutation is controlled by you, not by the user. You are using the prisma client. You can also do certain check for query depth. Check this great article by Max that explains this: https://blog.apollographql.com/securing-your-graphql-api-from-malicious-queries-16130a324a6b

thx a lot. will get to it 👍