Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[auth][graphql] patchUser resolver #4038

Closed
Tracked by #3433
axiomofjoy opened this issue Jul 27, 2024 · 2 comments
Closed
Tracked by #3433

[auth][graphql] patchUser resolver #4038

axiomofjoy opened this issue Jul 27, 2024 · 2 comments
Assignees

Comments

@axiomofjoy
Copy link
Contributor

axiomofjoy commented Jul 27, 2024

mutation patchUser(
  userId: <id>,
  email: "user@domain.com",
  username: "username",
  password: "password",
  role: Admin,
) {
  user: {
    id
  }
}

Only admins should be able to patch users via the admin page. The user should be able to pass in only a subset of the fields in the resolver (e.g., only email).

We should guarantee that there is always one admin user at any given time by raising an error if changing the role of a user from admin to non-admin would result in there being no admin users left.

@axiomofjoy axiomofjoy changed the title [auth][graphql] patchUser resolver [auth][graphql] patchUser resolver Jul 27, 2024
@mikeldking
Copy link
Contributor

Is the intent that patch user would be only accessible to admins and there would be a different mutation for viewer? Worth considering that the "behavor" of whether or not the user has to reset the password should exist here.

@mikeldking
Copy link
Contributor

Note we should probably invalidate all sessions (e.g. access tokens) when a user's credentials are changed AND when the user logs out

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Archived in project
Development

No branches or pull requests

3 participants