Partial fix of PR neuro-inc/platform-api#423 : in order not to over-complicate the permission checking logic (via AccessTree) with processing the resource type, we simply restrict sharing "bad" images on the client-side.
Personally, I think it's correct behaviour: when the platform-auth receives a request from user A to share resource R with B, it simply puts the corresponding record to the AccessTree and returns the result of this "access tree update" operation -- not the result of resource sharing. Subsequently, if the client wants to verify the result of the sharing operation, it could do it in an additional step.
Partial fix of PR neuro-inc/platform-api#423 : in order not to over-complicate the permission checking logic (via AccessTree) with processing the resource type, we simply restrict sharing "bad" images on the client-side.
Personally, I think it's correct behaviour: when the platform-auth receives a request from user
Ato share resourceRwithB, it simply puts the corresponding record to the AccessTree and returns the result of this "access tree update" operation -- not the result of resource sharing. Subsequently, if the client wants to verify the result of the sharing operation, it could do it in an additional step.