graphql mutations are locked by user type.

src/clj/auto_ap/graphql.clj

@@ -8,6 +8,7 @@
     [buddy.auth :refer [throw-unauthorized]]
     [auto-ap.db.invoices :as invoices]
     [auto-ap.utils :refer [by]]
+    [auto-ap.graphql.utils :refer [assert-admin can-see-company? assert-can-see-company]]
     [auto-ap.db.vendors :as vendors]
     [auto-ap.db.companies :as companies]
     [auto-ap.db.users :as users]
@@ -282,7 +283,6 @@
                             :resolve :mutation/edit-expense-accounts}}})
 
 
-
 (defn snake->kebab [s]
   (str/replace s #"_" "-"))
 
@@ -337,9 +337,6 @@
         :start (:start args 0)
         :end (+ (:start args 0) (count invoices))}] extra-context)))
 
-(defn assert-admin [id]
-  (when-not (= "admin" (:role id))
-    (throw-unauthorized)))
 
 (defn get-all-invoices [context args value]
   (assert-admin (:id context))
@@ -426,9 +423,7 @@
       (map company-cache (:companies value))
       (map companies/get-by-id (:companies value)))))
 
-(defn can-see-company? [identity company]
-  (or (= "admin" (:role identity))
-      ((set (:companies identity)) (:id company))))
+
 
 (defn get-company [context args value]
   (->graphql
@@ -443,7 +438,7 @@
      users)))
 
 (defn get-user [context args value]
-  (assert-admin)
+  (assert-admin (:id context))
 
   (let [
         users (users/get-all)
@@ -458,6 +453,8 @@
    (vendors/get-all)))
 
 (defn print-checks [context args value]
+  
+  (assert-can-see-company (:id context) (:company_id args))
   (->graphql
    (rchecks/print-checks (map (fn [i] {:invoice-id (:invoice_id i)
                                       :amount (:amount i)})