Skip to content

Update authorization.md for request response clarity #2167

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sjvans wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Update authorization.md for request response clarity #2167

sjvans wants to merge 3 commits into from

Conversation

@sjvans
Copy link
Contributor

@sjvans sjvans commented Oct 23, 2025

Clarified behavior of request responses for non-existent entities and unauthorized access.

@sjvans
Update authorization.md for request response clarity
4fece59 
Clarified behavior of request responses for non-existent entities and unauthorized access.
@sjvans sjvans marked this pull request as ready for review October 23, 2025 09:02
@sjvans sjvans requested a review from renejeglinsky as a code owner October 23, 2025 09:02
@renejeglinsky renejeglinsky added the AI Review AI generated suggestions label Nov 4, 2025
github-actions[bot]
github-actions bot reviewed Nov 4, 2025
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here's a supportive code review enhanced by AI assistance. These suggestions offer potential improvements and insights to consider, though they're recommendations rather than requirements. You have full control over which feedback to implement based on your project's specific needs and goals. The AI analysis is here to complement your expertise and help streamline your development process.
Model: claude-sonnet-4-20250514 | Prompt Tokens: 960 | Completion Tokens: 414

@renejeglinsky renejeglinsky removed the AI Review AI generated suggestions label Nov 4, 2025
@renejeglinsky
Copy link
Contributor

renejeglinsky commented Nov 12, 2025

@sjvans Could you review the AI suggestions? In addition I'd like to collect feedback on the usage of an AI Review. Feel free to sent it my way :)

@sjvans @github-actions
Update guides/security/authorization.md
83625b6 
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@sjvans
Copy link
Contributor Author

sjvans commented Nov 12, 2025

@sjvans Could you review the AI suggestions? In addition I'd like to collect feedback on the usage of an AI Review. Feel free to sent it my way :)

i'm a satisfied customer!

renejeglinsky
renejeglinsky reviewed Dec 19, 2025
View reviewed changes
guides/security/authorization.md
::: info Avoid enumerable keys
In case the filter condition is not met in an `UPDATE` or `DELETE` request, the runtime rejects the request (response code 403) even if the user is not even allowed to read the entity. To avoid to disclosure the existence of such entities to unauthorized users, make sure that the key is not efficiently enumerable.
In case the filter condition is not met in an `UPDATE` or `DELETE` request, the runtime rejects the request with a `404` response if the entity doesn't exist but a `READ` request would succeed if it did.
Otherwise, the runtime rejects with `403`, so that the response is consistent whether the entity doesn't exist or the user is not allowed to read it (in both cases a `READ` would result in a `404`).
Copy link
Contributor

@renejeglinsky renejeglinsky Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is "Otherwise" meaning here? Filter condition met? Or filter condition not met but a different request?

Copy link
Contributor

@renejeglinsky renejeglinsky Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Otherwise, the runtime rejects with `403`, so that the response is consistent whether the entity doesn't exist or the user is not allowed to read it (in both cases a `READ` would result in a `404`).
For all other requests, if the filter condition is not met, the runtime rejects with `403`, so that the response is consistent whether the entity doesn't exist or the user is not allowed to read it (in both cases a `READ` would result in a `404`).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@renejeglinsky renejeglinsky renejeglinsky left review comments

@github-actions github-actions[bot] github-actions[bot] left review comments

@johannes-vogel johannes-vogel Awaiting requested review from johannes-vogel

@BraunMatthias BraunMatthias Awaiting requested review from BraunMatthias

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sjvans @renejeglinsky