In internal/authorization/converters.go, L228, one thing we don't do here is actually check for the first id (group_id) to be non-blank, may raise issues at runtime if we don't validate endpoints path variables before this middleware is run, otherwise we would need to first check after parameter retrieval if the group_id is empty and the method allows for an empty parameter, like GET ( -> can_view) or POST ( -> can_edit).
Using regexp URL parameters to validate that selected endpoints have an ID path variable populated is the best way to fix this.
From the doc:
// Regexp url parameters:
r.Get("/{articleSlug:[a-z-]+}", getArticleBySlug) // GET /articles/home-is-toronto
Bonus nitpick
/entitlements suffixed endpoints for group don't support POST operations in this PR, only GET, PATCH and DELETE
Description
In
internal/authorization/converters.go
, L228, one thing we don't do here is actually check for the first id (group_id
) to be non-blank, may raise issues at runtime if we don't validate endpoints path variables before this middleware is run, otherwise we would need to first check after parameter retrieval if the group_id is empty and the method allows for an empty parameter, like GET ( ->can_view
) or POST ( ->can_edit
).Using regexp URL parameters to validate that selected endpoints have an ID path variable populated is the best way to fix this. From the doc:
Bonus nitpick
/entitlements
suffixed endpoints for group don't support POST operations in this PR, only GET, PATCH and DELETE