I think those rbac decorators all over the cloud API got me fooled into thinking this was taken care of.
Now that I think about it, I'm not sure how they're supposed to work? They're applied before the object(s) being accessed are even known, so it only really checks if context.user has the given role on context.project, right? So any checks further down should check whether the object being accessed belongs to context.project. Is that accurate?
I think those rbac decorators all over the cloud API got me fooled into thinking this was taken care of.
Now that I think about it, I'm not sure how they're supposed to work? They're applied before the object(s) being accessed are even known, so it only really checks if context.user has the given role on context.project, right? So any checks further down should check whether the object being accessed belongs to context.project. Is that accurate?