I’m developing a site that has functionality similar to sites like Reddit. That is, users can up- and downvote posts.
Every post has a rating property that is the sum of upvotes minus the sum of downvotes. This property is updated whenever a user up- or downvotes. I also keep track of which user has voted on what in a separate table, and in principle, I could compute the score based on that information only. However, for the sake of simplicity and query performance, I decided to keep the rating as a property as well.
Since the rating value needs to be updated on every vote, I give my users the ability to change that value on every post. This means (if I understand correctly) that a malicious user could post requests with GraphQL mutations that would change the rating value as they please.
What can I do to prevent this from happening?
My attempt to solve this issue: I could forbid normal users from updating the rating value on a post. I would then create a helper user that can update the values. Whenever a user votes on a post, the helper user would then change the rating value instead of the user themselves.
Do you consider that a valid approach for my problem? Or am I missing some functionality that solves this issue?