The backend has a role-based authorization middleware, but role declarations have not been added to all of the API routes yet. Consequently, some API endpoints are granting more lenient access than they should be. These declarations need to be added and, where necessary, additional roles defined (only one role may be defined per endpoint, so roles may be compositions of various access criteria including group and library membership and the authentication status of the user).
The backend has a role-based authorization middleware, but role declarations have not been added to all of the API routes yet. Consequently, some API endpoints are granting more lenient access than they should be. These declarations need to be added and, where necessary, additional roles defined (only one role may be defined per endpoint, so roles may be compositions of various access criteria including group and library membership and the authentication status of the user).