Build permissions system on the backend

[Weakky]

Using graphql-shield or https://blog.graph.cool/graphql-directive-permissions-authorization-made-easy-54c076b5368e

Step1. Allow only users with role ADMIN to perform those mutations:

# Upsert mutations
  upsertBrand(brandId: ID, categoryId: ID!, name: String!): Brand
  upsertAttribute(attributeId: ID, categoryId: ID!, value: String!): Attribute
  upsertCategory(categoryId: ID, name: String!): Category
  upsertOption(optionId: ID, name: String!, values: [OptionValueInput!]!, categoryId: ID!): Option
  upsertProduct(
    productId: ID,
    name: String!,
    categoryId: ID!,
    brandId: ID!,
    available: Boolean!,
    optionIds: [ID!]!,
    variants: [ProductVariantInput!]!,
    attributesIds: [ID!]!,
    unavailableOptionsValuesIds: [ID!]!,
    displayPrice: Float!,
    imageUrl: String
  ): Product

  #Upsert Shop metadata
  upsertBestSalesProducts(shopMetadataId: ID, bestSalesProducts: [OrderableProductInput!]!): ShopMetadata!
  upsertNewProducts(shopMetadataId: ID, newProducts: [OrderableProductInput!]!): ShopMetadata!
  upsertMOTD(shopMetadataId: ID, MOTD: String!): ShopMetadata!

  # Delete mutations
  deleteProduct(productId: ID!): Product
  deleteOption(optionId: ID!): Option
  deleteBrand(brandId: ID!): Brand
  deleteAttribute(attributeId: ID!): Attribute
  deleteCategory(categoryId: ID!): Category

#Order mutations
  setOrderAsPrepared(orderId: ID!): Order #Can be updated only by admins (eg: to set order as prepared)

And those queries:

allCustomers: [User!]!

[agustif]

+1 to graphql-shield