Craftql and authorization

[gertst]

Hi Mark,
Hi all,

I'm doing some investigations to use Craft as a headless CMS for a web portal that provides courses for users.

I want to use CraftQL to login a user and do some CRUD functions on several channels.
But I don't see how I can avoid having users to read records of other users. A tech-savvy user might fiddle with a graphQl viewer to read out all entries of a channel.

Eg: I have a Channel Results, containing the fields User(id) and Score.
How can I make sure that a user can only read out his entry and not others?
Things get even worse when allowing mutations.

Can I create a Craft plugin to interface with the CraftQl plugin and block queries/mutations with certain fields/filters? If so, what hooks should be used? Is there some demo code available?

Do I overlook something obvious here or is craftql not the way to go for CRUD functions?

Thanks to share your thoughts on this!

Gert - www.but.be