graphql mutations are locked by user type.

src/clj/auto_ap/graphql/utils.clj

@@ -1,5 +1,6 @@
 (ns auto-ap.graphql.utils
   (:require [clojure.string :as str]
+            [buddy.auth :refer [throw-unauthorized]]
             [clojure.walk :as walk]))
 
 
@@ -38,3 +39,16 @@
         :else
         node))
     m))
+
+
+(defn assert-admin [id]
+  (when-not (= "admin" (:role id))
+    (throw-unauthorized)))
+
+(defn can-see-company? [identity company]
+  (or (= "admin" (:role identity))
+      ((set (:companies identity)) (:id company))))
+
+(defn assert-can-see-company [identity company]
+  (when-not (can-see-company? identity company)
+    (throw-unauthorized)))