Problem
Same class as #173/#187/#191/#195/#199/#203, now on the first vendor-cascade-scoped entity: PurchaseOrderHeader. /v1/purchaseorderheader/:id GET/PATCH/DELETE returns 404 for absent ids but 403 for existing-but-not-yours, letting a scoped caller enumerate pohId populations.
Fix
Collapse both cases into 404. Master + own-tenant paths unchanged. Cascade auth resolution (pohPovId → vendor.povCompId) preserved.
Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/
Problem
Same class as #173/#187/#191/#195/#199/#203, now on the first vendor-cascade-scoped entity: PurchaseOrderHeader.
/v1/purchaseorderheader/:idGET/PATCH/DELETE returns 404 for absent ids but 403 for existing-but-not-yours, letting a scoped caller enumeratepohIdpopulations.Fix
Collapse both cases into 404. Master + own-tenant paths unchanged. Cascade auth resolution (pohPovId → vendor.povCompId) preserved.
Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/