Unfortunately no, I couldn’t. Now I began to test the solution and it doesn’t work. I tried another approach, but unfortunately it also didn’t work. I think I will open a new topic for that question…
Regarding your question about ‘every user can edit all other users information’, then theoretically it shouldn’t happen because of this part:
const userId = ctx.state.user.id
...updateUser(userId, ctx.request.body)
So basically it should update only the user that is connected, with his own ID. But again, my solution so far didn’t work at all.