Wow. ok. So basically GraphQL is totally useless as it steps over validation and business logic. It is like a wire directly to the database? This is a real security issue. So best practice should be then turning it off or removing it completely as it is just usable for really simple public websites. Is there somewhere a guide on how to remove it completely from the api?
The thing is that Strapi is not really flexible when it comes to the ability to define conditional authorization logics via the admin ui. Things like
const subscriptionActive = (... service logic to define subscription state)
if(workflowState === "approval" && role === "paidUser" && subscriptionActive === true ){
return true
}
return false;
must be possible. I do not expect and also do not believe it would be a good idea to handle that via the UI. Instead there should be an mvc or event driven business logic layer - exactly as the one which is in place. - The one that is bypassed.
… why Strapi devs … why? 