Investigate ID leakage in get_permissions_object
PermissionManagerType.get_permissions_object
returns a default policy (true you can see everything by default, false your can't) plus a list of id's which are exceptions to the default.
This will leak id's of things you cant see when default=True. Now that we have properly and fully implemented filter_queryset
, do we need to send an exceptions list when default=True for objects that the user can't even see?
Edited by Nigel Gott