Failing spec for garnered_find not respecting chained criteria

[mzikherman]

Ahoy there!

Here is a failing spec that shows garnered_find not respecting chained criteria.

I would expect @monger_who_is_a_thug.cheeses.garnered_find("cheddar") to return nothing, since cheddar is not one of this monger's cheeses.

I'm realizing in our API, we do build up scopes/chain criteria and then call garnered_find at the end on some object. This means that someone can make an API call for something they are authorized for, but pass in an object id for something else and get it. Something like partner.artworks.garnered_find(id) means that if you pass in the id of any artwork, as long as you have access to the given partner, you'll be able to get the details of a completely different private work.

Let me know if you think this is something we should fix in Garner, I'll try it out. I am thinking that the criteria used for the lookup needs to be added to the identity.

[fancyremarker]

Yeah, this was definitely never intended to work. :lollipop:

If you want to try to fix it, you'd be a mensch. However, I think that would be a major challenge, and (at least in the way I'm thinking about it) would greatly complicate some of the core object code.

[dblock]

This is a very real problem. Sounds like @fancyremarker is challenging @mzikherman to fixing this. I say you show him!

[mzikherman]

Damn you GitHub. I PR'ed something in Gravity that says 'fixes' and linked to this issue (since we were chaining something I had noticed). That automagically closed this, which in fact remains a real issue.

Though I guess it's better off as an actual issue and not a PR.

[dblock]

Thx @mzikherman, I reopened this PR though.