Update auth-and-access-control.md

docs/pages/docs/guides/auth-and-access-control.md

@@ -203,11 +203,12 @@ type Session = {
 We can now set up **operation** access control to restrict the **create**, **update** and **delete** operations to authenticated users with the `isAdmin` checkbox set:
 
 ```ts
-const isAdmin = ({ session }: { session: Session }) => session?.data.isAdmin;
+const isAdmin = ({ session }: { session: Session }) => Boolean(session?.data.isAdmin);
 
 const Post = list({
   access: {
     operation: {
+      query: isAdmin,
       create: isAdmin,
       update: isAdmin,
       delete: isAdmin,
@@ -432,11 +433,14 @@ When you need it, you can call `context.sudo()` to create a new context with ele
 For example, we probably want to block all public access to querying users in our system:
 
 ```ts
-const isAdmin = ({ session }: { session: Session }) => session?.data.isAdmin;
+const isAdmin = ({ session }: { session: Session }) => Boolean(session?.data.isAdmin);
 
 const Person = list({
   access: {
     query: isAdmin,
+    create: isAdmin,
+    update: isAdmin,
+    delete: isAdmin
   },
   fields: {
     // see above
@@ -515,7 +519,7 @@ const isUser = ({ session }: { session: Session }) =>
 
 // Validate the current user is an Admin
 const isAdmin = ({ session }: { session: Session }) =>
-  session?.data.isAdmin;
+  Boolean(session?.data.isAdmin);
 
 // Validate the current user is updating themselves
 const isPerson = ({ session, item }: { session: Session, item: PersonData }) =>
@@ -528,7 +532,9 @@ const isAdminOrPerson = ({ session, item }: { session: Session, item: PersonData
 const Person = list({
   access: {
     operation: {
+      query: isAdmin,
       create: isAdmin,
+      update: isAdmin,      
       delete: isAdmin,
     },
     item: {