ljmcgann
commented
5 years ago Could somebody correct me if I'm wrong?
Open ljmcgann opened 5 years ago
ljmcgann
commented
5 years ago Could somebody correct me if I'm wrong?
tzumainn
commented
5 years ago You're correct. The way I've most often seen this used is:
*_get_all_by_project_id isn't actually exposed to users*_get_all checks if the user is an admin; if so it actually gets all; if not it returns *_get_all_by_project_id, and gets the project_id from the contextljmcgann
commented
5 years ago So a user cannot get all offers then? I thought we said that it was ok for any user to view any object, they just couldnt update or delete without permissions
tzumainn
commented
5 years ago Oh right - it would depend on the object as well. For offers it would be okay; for bids, probably not.
ljmcgann
commented
5 years ago Why not? So long as bids cannot be updated without proper scope, what does it matter if users can see bids?
tzumainn
commented
5 years ago In general, it's better to be defensive. It's better for people to ask "hey, why can't I see this", rather than "hey, why can person B see all the things I think should be private".
In this specific case - the possibility of undercutting bids :)
ljmcgann
commented
5 years ago So shouldn't this same logic apply to offers?
ljmcgann
commented
5 years ago People put up offers with a cost
tzumainn
commented
5 years ago Definitely a valid concern! But given the current UI, I'd say no.
offer and bid _get_all_by_project_id should take in a project id as a parameter, not get by the project_id of a context