imbajin commented on code in PR #3008:
URL: https://github.com/apache/hugegraph/pull/3008#discussion_r3187081094
##########
hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/auth/ManagerAPI.java:
##########
@@ -259,6 +262,46 @@ public String getRolesInGs(@Context GraphManager manager,
result));
}
+ @GET
+ @Timed
+ @Path("default")
+ @Consumes(APPLICATION_JSON)
+ public String checkDefaultRole(@Context GraphManager manager,
+ @QueryParam("graphspace") String graphSpace,
Review Comment:
⚠️ **Bug: this endpoint ignores the path graphspace and trusts query
`graphspace` instead**
`ManagerAPI` is already mounted under
`graphspaces/{graphspace}/auth/managers`, but this method reads `graphspace`
from the query string. A request can therefore hit one graphspace path while
checking another graphspace via query params, which is surprising and easy to
misuse. Please use the existing path parameter here (or move the API to a
non-graphspace route if the intended contract is global).
```suggestion
@PathParam("graphspace") String
graphSpace,
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
