graphql · stubailo · Oct 6, 2016 · Oct 6, 2016
diff --git a/site/learn/BestPractice-Authorization.md b/site/learn/BestPractice-Authorization.md
@@ -20,7 +20,7 @@ var postType = new GraphQLObjectType({
   fields: {
     body: {
       type: GraphQLString,
-      resolve: (post, args, context, rootValue) => {
+      resolve: (post, args, context, { rootValue }) => {
         // return the post body only if the user is the post's author
         if (context.user && (context.user.id === post.authorId)) {
           return post.body;
@@ -45,14 +45,14 @@ var postType = new GraphQLObjectType({
   fields: {
     body: {
       type: GraphQLString,
-      resolve: (post, args, context, rootValue) => {
+      resolve: (post, args, context, { rootValue }) => {
         return postRepository.getBody(context.user, post);
       }
     }
   }
 });
 ```
 
-In the example above, we see that the business logic layer requires the caller to provide a user object. If you are using GraphQL.js, the User object should be populated on the `context` or `rootValue` arguments of the resolver.
+In the example above, we see that the business logic layer requires the caller to provide a user object. If you are using GraphQL.js, the User object should be populated on the `context` argument or `rootValue` in fourth argument of the resolver.
 
 We recommend passing a fully-hydrated User object instead of an opaque token or API key to your business logic layer. This way, we can handle the distinct concerns of [authentication](/graphql-js/authentication-and-express-middleware/) and authorization in different stages of the request processing pipeline.