ericberman
commented
6 years ago Minor issue: instructor viewing student's logbook can access flight images. Harder issue: the AWS URL is still completely open... only real way to get around that is to lock down AWS and send all image requests through us, which will add both a lot of load and a lot of latency... Could pass credentials to AWS...need to explore how to do that.
Aircraft - should ALL be public. Flights - should be public if flight is public, else restricted to owner. BasicMed and endorsements - restricted to owner.
Flights is the tricky one because it's called from the mobile apps via webservice. May need to add the authtoken to the URL in the request that retrieved the flights?