Skip to content

purchaseorderline: cross-tenant GET/PATCH/DELETE returns 403 — same class as #209 (secure-404) #213

Closed
#214
Closed
purchaseorderline: cross-tenant GET/PATCH/DELETE returns 403 — same class as #209 (secure-404)#213
#214
@CryptoJones

Description

@CryptoJones
CryptoJones
opened on May 19, 2026

Problem

Same class as the seven prior secure-404 fixes (#173/#187/#191/#195/#199/#203/#209), now on the two-level cascade-scoped PurchaseOrderLine: polpoh → header.pohPovId → vendor.povCompId. Scoped callers can enumerate polId populations by status code.

Fix

Collapse both cases into 404. Cascade auth resolution preserved.

Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions