Authorization: "I can only access my own Data". How to?

[Gr3yShad0w]

Hello

I have a tool where different people can create a resource lets say a book. I want to enforce a rule that a viewer can only view their own books. How can I enforce this with the Authorization feature of Typegraphql? I saw that you can pass roles like Admin, Moderator etc. But that is a "kinda" different use-case because the Authorization is not only Role-Based.

What I'm trying to achive is that:

A User can read only his own Books
A Admin can view all Books,
A Supporter can view Books hes assigned to

I first thought to implement a middleware that would look at the data that is returned and nullifies if it is something he shouldnt see. But a problem arrises when the query only accesses the name. I can tell just from a name if a user has access to it or not, nor can I lookup the original book just by a name in the database.

I don't want to validate the query eg. I need the user to request the Book and tell me specific I want Book Id 1 WHERE Author = myself
But rather I want book ID 1 => oh are you the author => yes here go you

For information, I'm using typegraphql-prisma so the resolvers or mostly auto-generated which is why I don't really want to just enlarge the resolver itself with authorization checkers.