Comment 12 for bug 644092

Soren wrote:

"Now that I think about it, I'm not sure how they're supposed to work? They're applied before the object(s) being accessed are even known, so it only really checks if context.user has the given role on context.project, right? So any checks further down should check whether the object being accessed belongs to context.project. Is that accurate?"

This is what I am proposing. That the datalayer should check to see if the project is allowed to access the object.