Over-specific method in api

[thomax]

No description provided.

[thomax]

Copied from #2 (comment)
An :identity or :created_by parameter won't help, because someone could simply remove the parameter in order to see the email address or whatever.

This needs to be implemented by the policy/permissions system.

[thomax]

Copied from #2 (comment)
I think the idea here is to use the current_identity as a filter, not as a mean of access control.

[thomax]

Copied from #2 (comment)
But the email address would still be available if you get a bunch of posts (for the main view in dittforslag, for example), right?

[thomax]

Copied from #2 (comment)
Yes, but restrictions on who gets to see what should be enforced by a designated policy system. See also Simens comment on #7.

[thomax]

Copied from #2 (comment)
yeah, agreed. Conclusion is: we need to keep the dirty hack for now, and refactor when we implement the policy system :)

[thomax]

Copied from #2 (comment)
I believe this is also related to issue #58