I wrote a custom resolver to update a date on a table instead of relying on the clients to update the field with the right date. This is similar to how someone might implement soft deletion (to still see deleted records in 8base and be able to fetch them):
import gql from "graphql-tag";
const TABLE_UPDATE = gql`
mutation TableUpdate($id: ID, $deletedAt: Date) {
tableUpdate(data: { id: $id, deletedAt: $deletedAt }) {
id
}
}
`;
export default async (event, ctx) => {
const { id } = event.data;
await ctx.api.gqlRequest(TABLE_UPDATE, { id, deletedAt: "2020-07-25" });
return { data: { success: true }, errors: [] };
};
However, I also wanna prevent clients from updating that field (deletedAt in the example above) directly through the tableUpdate mutation, so that they have to call my custom resolver (I have to perform some extra logic around it and it seems safer since clients could technically update the table with the wrong date).
If I remove update access to deletedAt in roles and permissions, the custom resolver is also not authorized to perform the mutation since it 8base still considers that the user is updating the field, which makes sense. Is there a way to either execute this mutation with a different role than the user calling the resolver or a different way to achieve the same behavior?