Problem
Same class as #173/#187/#191/#195 on PurchaseOrderVendor. /v1/purchaseordervendor/:id GET/PATCH/DELETE returns 404 for absent ids but 403 for existing-but-not-yours, letting a scoped caller enumerate povId populations.
Fix
Collapse both cases into 404. Master + own-tenant paths unchanged.
Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/
Problem
Same class as #173/#187/#191/#195 on PurchaseOrderVendor.
/v1/purchaseordervendor/:idGET/PATCH/DELETE returns 404 for absent ids but 403 for existing-but-not-yours, letting a scoped caller enumeratepovIdpopulations.Fix
Collapse both cases into 404. Master + own-tenant paths unchanged.
Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/