updateAfter: { or: [
{ rule: """
query ($USER: String!) {
queryUser(filter: {
username: { eq: $USER },
{ not: { has: role } }
}) {
username
}
}"""
},
{ rule: "{$ROLE: { eq: \"ADMIN\" }}" }
] }
I think you could also just use { not: { has: role } } as a field restriction for field level auth restrictions. I assume this would work like add, which does not query current values (since there are none), even though technically you would probably have a value for role in the database.
That way no one could change values you don’t want them to.
This also wouldn’t interfere with the validation for no null values, since you will never really have a null value in the db.
J