is there a best practice pattern for row level security with prisma? say i have a type Book that has books owned by a User... how can I combine the nice features of prisma like the BookWhereInput input type with a filter for "only Book owned by User" when exposing an API?

there are two high-level approaches that I'm aware of right now: - middleware: https://github.com/graphcool/graphql-middleware (see #graphql-middleware) - schema directives: https://blog.graph.cool/graphql-directive-permissions-authorization-made-easy-54c076b5368e