Limiting how values can be changed

I’m developing a site that has functionality similar to sites like Reddit. That is, users can up- and downvote posts.

Every post has a rating property that is the sum of upvotes minus the sum of downvotes. This property is updated whenever a user up- or downvotes. I also keep track of which user has voted on what in a separate table, and in principle, I could compute the score based on that information only. However, for the sake of simplicity and query performance, I decided to keep the rating as a property as well.

Since the rating value needs to be updated on every vote, I give my users the ability to change that value on every post. This means (if I understand correctly) that a malicious user could post requests with GraphQL mutations that would change the rating value as they please.

What can I do to prevent this from happening?

My attempt to solve this issue: I could forbid normal users from updating the rating value on a post. I would then create a helper user that can update the values. Whenever a user votes on a post, the helper user would then change the rating value instead of the user themselves.

Do you consider that a valid approach for my problem? Or am I missing some functionality that solves this issue?

I don’t understand the helper user approach, maybe you can post some code. But if you just do the following, I don’t see how a malicious user could game your voting system:

Your upvote (and downvote) mutations (with @requireAuth) should just check that the current user has not already upvoted (downvoted) that post and then use this handy prisma shorthand{
      where: { id: 1234 },
      data: {upvote: {increment: 1}}

Oh wow, that’s perfect. Thank you so much!