Should we allow creation of participants with uuids provided by the client?

[oliverbarnes]

This has come up during investigation of #128, and needs further discussion:

One of the reasons we decided to use uuids as ids is to enable passing around of identifiers to/from clients and other services, and we're supporting for pre-existing resources in our system - votes, delegations and participants already persisted in the database.

Currently we support upserts of participants on delegation and voting creation based on emails provided by the client.

Another potential scenario is when the client already generates uuids for their participants (for which they're the source the truth), and submits that to us instead of an email. For instance, when creating a delegation, submitting delegator_id and delegate_id instead of a delegator_email and delegate_email. This could be a way to improve the privacy of the participant in our system. We'd only know their client-side id.

Questions raised so far:

• YAGNI?
• any security issues with passing around a direct db identifier like that?
• in some instances clients will create a view-only uuid, and sometimes that's ephemeral. How do we handle that?