[ ] Update the DMP ID schema to mask/exclude user emails unless the User is authenticated and an admin for one of the affiliations
[ ] Update the DMP ID schema to exclude the narrative download URL for non-public DMP IDs
[ ] Add logic that applies the following for DMP ID access
[ ] Public plans are queryable by all (authentic or not)
[ ] Public plans cannot be mutated unless the User is authenticated and either a contact/contributor OR is an admin for one of the affiliations
[ ] Private plans are not queryable/mutable unless the User is authenticated and either a contact/contributor OR is an admin for one of the affiliations
We should also:
[ ] Extract the DMP ID model from the resolver so that they are in separate files
Additional logic will need to be added as we add new parts to the system (e.g. guidance groups, templates, etc.)
Once the authentication logic is working, we need to incorporate authorization logic.
See: https://www.apollographql.com/docs/apollo-server/security/authentication
We will need several levels:
We should also:
Additional logic will need to be added as we add new parts to the system (e.g. guidance groups, templates, etc.)