hi peeps! I have the following datamodel:

type Business {
    id: ID! @id
    stores: [Store]
}

type Store {
    id: ID! @id
    name: String!
    business: Business!
}

I want to have a single mutation for updating both the

Business

and

Store

where the

Business

serves as the entrypoint like so:

updateBusiness(
    data: {
        stores: {
            create: {
                name: 'My store'
            }
        }
    },
    where: {
        id: 'some_business_id'
    }
) {
    id
    stores {
        name
        business {
            id
        }
    }
}

this works really well and I enjoy working with nested mutations. it makes the code much simpler. my challenge is how I implement authorization with this model. imagine a

Person

that is a member of a specific `Business`: I need to avoid that this

Person

creates a new

Business

or connects a

Store

from another

Business

. it's easy to add authorization on the

updateBusiness

mutation entrypoint via e.g. graphql-shield but once the

Person

clears the initial check, the

Person

can do whatever he/she wants via nested mutations further down. should I just drop using nested mutations or is there a neat solution to this? I've managed to find a few people having the same issue but I don't see a good solution: https://github.com/prisma/prisma/issues/3901 and https://github.com/maticzav/graphql-shield/issues/113#issuecomment-419494204