I think I was saying that add doesn’t need to check what the record will look like after the commit, since it is new data, so same thing. But you’re right, even better, if the add record merges with nested nodes that already exists, it does matter.
In that case, it should be an easy fix to add the update-after the way that it should work, since the code should use the same validation function as add does.
My point is that we need both the update-after auth fix, AND field-leve-auth for field restrictions to fix the @auth problems, or we can’t properly secure many situations.
Unless @aman-bansal has another idea for this?
J