Skip to content

GET /slices/synchronize_groups is unreachable (shadowed by /:slice_id route) #239

Description

@alexskr

Summary

The admin endpoint GET /slices/synchronize_groups (in controllers/slices_controller.rb) is unreachable. The earlier get '/:slice_id' route in the same namespace matches synchronize_groups as a :slice_id value, so requests are handled by the public "show a single slice" route and return 404 ("Slice synchronize_groups not found") instead of running the sync logic. Its admin_only! guard never executes either.

Root cause

Sinatra matches routes in definition order (first match wins). In slices_controller.rb the routes are declared as:

  1. get '/:slice_id' (public show) — defined first
  2. ...
  3. get '/synchronize_groups' (admin sync) — defined later

/slices/synchronize_groups matches pattern #1 (:slice_id = "synchronize_groups") before #3 is ever considered.

Confirmed with an isolated Sinatra routing probe: a request to /slices/synchronize_groups is served by the /:slice_id handler.

Impact

  • The group→slice synchronization feature is currently inaccessible via the API. It isn't actively used today, but it could be useful (it (re)creates/updates a Slice for each Group so their ontologies stay in sync).
  • Low security concern: the route falls through to the public show route (404), so nothing privileged is exposed — but the intended admin_only! gate on the sync action is moot since the action can't run.

Suggested fix

Define the literal route before the parameterized one (literal routes should precede :param routes in a namespace):

get '/synchronize_groups' do ... end   # move above
get '/:slice_id' do ... end

Alternatively move it under a non-colliding path. After fixing routing, verify the admin_only! gate actually engages (add it to the gate test in test/controllers/test_admin_only_endpoints.rb).

Notes

Discovered while adding admin-gate test coverage in #238.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions