diff --git a/backend/src/middleware/permissionsMiddleware.js b/backend/src/middleware/permissionsMiddleware.js
index 3ac43a6e2..3688aec16 100644
--- a/backend/src/middleware/permissionsMiddleware.js
+++ b/backend/src/middleware/permissionsMiddleware.js
@@ -86,7 +86,8 @@ const permissions = shield({
     unshout: isAuthenticated,
     changePassword: isAuthenticated,
     enable: isModerator,
-    disable: isModerator
+    disable: isModerator,
+    CreateComment: isAuthenticated
     // CreateUser: allow,
   },
   User: {
diff --git a/backend/src/resolvers/comments.js b/backend/src/resolvers/comments.js
index 74454322d..5ab20cf46 100644
--- a/backend/src/resolvers/comments.js
+++ b/backend/src/resolvers/comments.js
@@ -5,7 +5,7 @@ export default {
     CreateComment: async (object, params, context, resolveInfo) => {
       const { postId } = params
       
-      const result = await neo4jgraphql(object, params, context, resolveInfo, true)
+      const comment = await neo4jgraphql(object, params, context, resolveInfo, true)
       
       const session = context.driver.session()
       const transactionRes = await session.run(`
@@ -13,12 +13,9 @@ export default {
          MERGE (post)<-[:COMMENTS]-(comment)
          RETURN comment {.id, .content}`, {
           postId,
-          commentId: result.id
+          commentId: comment.id
         }
       )
-      const [comment] = transactionRes.records.map(record => {
-        return record.get('comment')
-      })
 
       session.close()
 
diff --git a/backend/src/resolvers/comments.spec.js b/backend/src/resolvers/comments.spec.js
new file mode 100644
index 000000000..e17f94ec9
--- /dev/null
+++ b/backend/src/resolvers/comments.spec.js
@@ -0,0 +1,64 @@
+import Factory from '../seed/factories'
+import { GraphQLClient } from 'graphql-request'
+import { host, login } from '../jest/helpers'
+
+const factory = Factory()
+let client
+let variables
+
+beforeEach(async () => {
+  await factory.create('User', {
+    email: 'test@example.org',
+    password: '1234'
+  })
+})
+
+afterEach(async () => {
+  await factory.cleanDatabase()
+})
+
+describe('CreateComment', () => {
+  const mutation = `
+    mutation($id: ID!, $postId: ID!, $content: String!) {
+      CreateComment(id: $id, postId: $postId, content: $content) {
+        id
+        content
+      }
+    }
+  `
+  describe('unauthenticated', () => {
+    it('throws authorization error', async () => {
+      variables = { 
+        id: 'c1', 
+        postId: 'p1', 
+        content: "I'm not authorised to comment"
+      }
+      client = new GraphQLClient(host)
+      await expect(client.request(mutation, variables)).rejects.toThrow('Not Authorised')
+    })
+  })
+
+  describe('authenticated', () => {
+    let headers
+    beforeEach(async () => {
+      headers = await login({ email: 'test@example.org', password: '1234' })
+      client = new GraphQLClient(host, { headers })
+    })
+
+    it('creates a post', async () => {
+      variables = { 
+        id: 'c1', 
+        postId: 'p1', 
+        content: "I'm authorised to comment" 
+      }
+      const expected = {
+        CreateComment: {
+          id: 'c1',
+          content: "I'm authorised to comment"
+        }
+      }
+      
+      await expect(client.request(mutation, variables)).resolves.toMatchObject(expected)
+    })
+  })
+})
\ No newline at end of file