Filter assets by read-only permission #2300
Description
This is a feature request where we would like to enable an option on WebAPI that would restrict items from being returned to callers if they do not have read permission to the entity.
Currently, WebAPI assumes all users are granted read-access to entities. Write permission is granted to the entity creator, and also can be assigned by the creator to other users.
This enhancement would allow read permission to be assigned to a user, and, if readOnlyPermission is enabled, WebAPI will filter any asset that a user does not have read-access from any WebAPI call.
This enhancement can be accomplished using current security implementation (read permission is something that exists via the :get roles), but the new functionality would be to not assume everyone with read-permission, and instead provide a mechanism to filter and assign read permission to users.