fix: add review auth checks (#315)

Author: HYACCCINT

starters/nextjs/shopify-ecommerce/dataconnect/connector/mutations.gql

@@ -5,7 +5,7 @@ mutation CreateProduct(
   $name: String!
   $description: String!
   $price: Float!
-) {
+) @auth(level: NO_ACCESS) {
   product_insert(
     data: {
       productID: $productID
@@ -27,7 +27,7 @@ mutation UpdateProduct(
   $price: Float!
   $productID: String!
   $productSlug: String!
-) {
+) @auth(level: NO_ACCESS) {
   product_update(
     key: { id: $id }
     data: {
@@ -43,7 +43,7 @@ mutation UpdateProduct(
 }
 
 # Delete a product
-mutation DeleteProduct($id: UUID!) {
+mutation DeleteProduct($id: UUID!) @auth(level: NO_ACCESS) {
   product_delete(key: { id: $id })
 }
 
@@ -56,13 +56,13 @@ mutation CreateReview(
   $userName: String!
   $rating: Float!
   $content: String!
-) @auth(level: PUBLIC) {
+) @auth(level: USER) {
   review_insert(
     data: {
       productID: $productID
       productSlug: $productSlug
       productName: $productName
-      userID: $userID
+      userID_expr: "auth.uid"
       userName: $userName
       rating: $rating
       content: $content
@@ -73,6 +73,11 @@ mutation CreateReview(
 
 # Update an existing review
 mutation UpdateReview($id: UUID!, $rating: Float!, $content: String!) @auth(level: USER) {
+  query {
+    review(id: $id) @redact {
+      userID @check(expr: "this == auth.uid", message: "You can only update your own reviews")
+    }
+  }
   review_update(
     key: { id: $id }
     data: {
@@ -85,5 +90,10 @@ mutation UpdateReview($id: UUID!, $rating: Float!, $content: String!) @auth(leve
 
 # Delete a review
 mutation DeleteReview($id: UUID!) @auth(level: USER) {
+    query {
+    review(id: $id) @redact {
+      userID @check(expr: "this == auth.uid", message: "You can only update your own reviews")
+    }
+  }
   review_delete(key: { id: $id })
 }