Over-specific method in api

Question

Over-specific method in api

Opened this issue 12 years ago · 6 comments

Answer 1 · 2012-09-18T10:52:05.000Z

Copied from #2 (comment)
An :identity or :created_by parameter won't help, because someone could simply remove the parameter in order to see the email address or whatever.

This needs to be implemented by the policy/permissions system.

Answer 2 · 2012-09-18T10:52:05.000Z

Copied from #2 (comment)
I think the idea here is to use the current_identity as a filter, not as a mean of access control.

Answer 3 · 2012-09-18T10:52:06.000Z

Copied from #2 (comment)
But the email address would still be available if you get a bunch of posts (for the main view in dittforslag, for example), right?

Answer 4 · 2012-09-18T10:52:07.000Z

Copied from #2 (comment)
Yes, but restrictions on who gets to see what should be enforced by a designated policy system. See also Simens comment on #7.

Answer 5 · 2012-09-18T10:52:08.000Z

Copied from #2 (comment)
yeah, agreed. Conclusion is: we need to keep the dirty hack for now, and refactor when we implement the policy system :)

Answer 6 · 2012-09-18T10:52:08.000Z

Copied from #2 (comment)
I believe this is also related to issue #58