- Requests performed internally to read a resource being patched/updated may not retrieve the relationship field being patch and not see the relationship that already exists for edges that need to be cleaned up. This is only happening when filters in the PrivilegeContext limit the relationship field from being viewed for certain objects. The object(s) appears to be null on the origin object, and allows for the relationship to be created even though the relationship already exists.
- The request performed internally in ManagedObjectSet#deleteInstance & InternalObjectSet#deleteInstance reads the resource being deleted with all possible relationships of the resource. That response is being sent back to the requester. If the requestor asks for a relationship field in the delete request, the relationships for that field are returned in entirety even if requester only has privilege to view a subset. A read with filters should be performed (if needed) to gather an accurate ResourceResponse to return after delete has completed.
Any requests made for internal logic within MOS or IOS should not consider privileges. The only request that should consider filters for relationships should be the final request to read the resulting resource.