[andyfang]

We thought about this approach. This would mean that we'd have to have fine-grain permissions logic every time we used that resource. An analogy to this is like having to sanitize literal strings for every user input from a web form; if you forget to sanitize (or in the API case forget to filter the fields) at any point, you have a security bug in your code.

[thibauts]

You're still doing filtering. The difference I see is your database request code is duplicated. Conceptually the condition is moved but it is bound to exist somewhere. This is IMO a semantics question. Thanks for your input anyway, you gave me a new perspective to wonder.