auth token should pass through

[broskoski]

The unresolved issue I see here is authentication + caching. Ideally:

• An X-AUTH-TOKEN is passed through the request
• Metaphysics maintains an admin token to have the data it needs to show ui-specific computed attributes (i.e. show_carousel).

First thing that comes to mind is whitelisting attributes based on what is returned by a non-admin, and allowing those + whatever is computed to be returned in the response. We ideally don't want to deal with two sets of caches per admin and non-admin (and whatever else comes down the line). There may be some cases that I am overlooking here (can_download_image for example).

[dzucconi]

I can see us defining domain objects that have serializers to handle the whitelisting + virtual attributes.

Virtual attributes that get computed on a per req basis would be fine: just pass whatever "permissions" you need and the user might have in your request and deal with it based on that.