The GraphQL query ordersByAccountId requires the account ID as the first argument.
However, to get a specific order, I just need its ID and not the account ID. If I try see the order belonging to another account, I get access denied.
Since the resolver clearly knows what user I am; can it not be possible to just make the accountId param optional, and use the ID of the user making the request.
A client must first make a request to get the viewer then use this result to make a further request for ordersByAccountId, slower. Other queries simply use the ID of the user making the authenticated request meaning we don't need to fetch it first, but this specific query is not consistent with the others since it's a mandatory argument.
The GraphQL query
ordersByAccountIdrequires the account ID as the first argument.However, to get a specific order, I just need its ID and not the account ID. If I try see the order belonging to another account, I get access denied.
Since the resolver clearly knows what user I am; can it not be possible to just make the
accountIdparam optional, and use the ID of the user making the request.A client must first make a request to get the
viewerthen use this result to make a further request forordersByAccountId, slower. Other queries simply use the ID of the user making the authenticated request meaning we don't need to fetch it first, but this specific query is not consistent with the others since it's a mandatory argument.