GraphQL Middleware Resolver

System Information
  • Strapi Version: 4.8.2
  • Operating System: Mac
  • Database: Postgres
  • Node Version: 16.18
  • Yarn Version: 1.22.19


I try to create a middleware that allows me to put two restrictions in place.
a). Only allow users who are creators of a content type can edit it (e.g. author of a comment)
b). Public users should only see 5 results for nested content (e.g. see only 5 comments for a block posts out of 30 comments). Authorised users should be able to see all.


  • The content may be nested (e.g. posts have comments nested below)
  • This is about users & permissions plugin, not admin users.
  • All is done in GraphQL, not with Rest APIs

Current approach:
In the middleware I execute the following code:

export default async (resolve, parent, args, context, info) => {
  const res = await resolve(parent, args, context, info)
  const {value,} = res
  const val = await value

  // conditions: 
  // only allow users who are creator of the content to edit it
  // do manipulation (e.g. limit results)

Issue with the approach:
The val variable only contains the upper level content (e.g. Post), but the nested content is missing (e.g.repeatable components such as comments and relational data such as users).


  1. What would be the best way to achieve this? Can I get access to nested content? Where else would I be able to implement these rules?
  2. Can I only control the actions “Query” and “Mutation” or also “findOne”, “findMany”, etc.
  3. Bonus question: is there a nice way to type middleware with TypeScript?

Other tested approaches:

  • Manipulating the resolver → I think this could work. But I would have to rewrite every resolver which seems wrong
  • Using policies → seem to not give access to the resolver
  • Using Admin users and with that the option for conditions and advanced RBAC → I don’t think that content (Posts, Comments) can be created via GraphQL as a admin user. I also don’t think this is how it would be intended.

Thank you very much for any hint in the right direction! I have been searching for a few days :).

Hey @NilsMich - did you ever figure this out?
I have a similar scenario and so far using middleware with GraphQL has been like walking in pitch darkness.

There is barely any documentation on it.