sexy/packages/backend/src/lib/acl.ts

import { GraphQLError } from "graphql";
import type { Context } from "../graphql/builder";

export function requireAuth(ctx: Context): void {
  if (!ctx.currentUser) throw new GraphQLError("Unauthorized");
}

export function requireAdmin(ctx: Context): void {
  requireAuth(ctx);
  if (!ctx.currentUser!.is_admin) throw new GraphQLError("Forbidden");
}

export function requireOwnerOrAdmin(ctx: Context, ownerId: string): void {
  requireAuth(ctx);
  if (ctx.currentUser!.id !== ownerId && !ctx.currentUser!.is_admin) {
    throw new GraphQLError("Forbidden");
  }
}