Problem
Same class of bug as #173 (company), #187 (billingtype), #191 (worker),
on the InventoryItem controller. /v1/inventoryitem/:id GET/PATCH/DELETE
returns 404 for absent ids but 403 for existing-but-not-yours. A scoped
caller can enumerate invitId populations across the whole tenant table.
Fix
Collapse both cases into 404 with the same body. Master-key + own-tenant
paths unchanged.
Acceptance
Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/
Problem
Same class of bug as #173 (company), #187 (billingtype), #191 (worker),
on the InventoryItem controller.
/v1/inventoryitem/:idGET/PATCH/DELETEreturns 404 for absent ids but 403 for existing-but-not-yours. A scoped
caller can enumerate
invitIdpopulations across the whole tenant table.Fix
Collapse both cases into 404 with the same body. Master-key + own-tenant
paths unchanged.
Acceptance
getById: non-master + existing-but-not-yours → 404update: non-master + existing-but-not-yours → 404remove: non-master + existing-but-not-yours → 404tests/api/inventoryitem.test.jspin all threeProudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/