and that authorize-then-filter vs filter-then-authorize question usually comes down to whether your set of filtered results is >>> the number of things the user is allowed to see or vice versa