Problem
Same class of bug as #173 (company), this time on the BillingType
controller:
GET /v1/billingtype/:id returns 404 for non-existent ids and 403
for ids that exist but belong to a different tenantPATCH /v1/billingtype/:id does the sameDELETE /v1/billingtype/:id does the same
A scoped (non-master) caller can iterate btId values and learn
which ids are populated across the whole tenant table by status
code alone.
Fix
Collapse "exists but not yours" into 404 with the same "Not found." body the absent-id branch uses. Master-key callers
unchanged; own-tenant 200 path unchanged.
Same pattern propagates to every soft-deletable entity (worker,
customer, invoice, job, …). They'll get their own PRs in follow-up
iterations — one entity per PR.
Acceptance
Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/
Problem
Same class of bug as #173 (company), this time on the BillingType
controller:
GET /v1/billingtype/:idreturns 404 for non-existent ids and 403for ids that exist but belong to a different tenant
PATCH /v1/billingtype/:iddoes the sameDELETE /v1/billingtype/:iddoes the sameA scoped (non-master) caller can iterate
btIdvalues and learnwhich ids are populated across the whole tenant table by status
code alone.
Fix
Collapse "exists but not yours" into 404 with the same
"Not found."body the absent-id branch uses. Master-key callersunchanged; own-tenant 200 path unchanged.
Same pattern propagates to every soft-deletable entity (worker,
customer, invoice, job, …). They'll get their own PRs in follow-up
iterations — one entity per PR.
Acceptance
getById: non-master + existing-but-not-yours → 404update: non-master + existing-but-not-yours → 404remove: non-master + existing-but-not-yours → 404tests/api/billingtype.test.jspin all threeProudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/