Summary
The admin endpoint GET /slices/synchronize_groups (in controllers/slices_controller.rb) is unreachable. The earlier get '/:slice_id' route in the same namespace matches synchronize_groups as a :slice_id value, so requests are handled by the public "show a single slice" route and return 404 ("Slice synchronize_groups not found") instead of running the sync logic. Its admin_only! guard never executes either.
Root cause
Sinatra matches routes in definition order (first match wins). In slices_controller.rb the routes are declared as:
get '/:slice_id' (public show) — defined first
- ...
get '/synchronize_groups' (admin sync) — defined later
/slices/synchronize_groups matches pattern #1 (:slice_id = "synchronize_groups") before #3 is ever considered.
Confirmed with an isolated Sinatra routing probe: a request to /slices/synchronize_groups is served by the /:slice_id handler.
Impact
- The group→slice synchronization feature is currently inaccessible via the API. It isn't actively used today, but it could be useful (it (re)creates/updates a
Slice for each Group so their ontologies stay in sync).
- Low security concern: the route falls through to the public show route (404), so nothing privileged is exposed — but the intended
admin_only! gate on the sync action is moot since the action can't run.
Suggested fix
Define the literal route before the parameterized one (literal routes should precede :param routes in a namespace):
get '/synchronize_groups' do ... end # move above
get '/:slice_id' do ... end
Alternatively move it under a non-colliding path. After fixing routing, verify the admin_only! gate actually engages (add it to the gate test in test/controllers/test_admin_only_endpoints.rb).
Notes
Discovered while adding admin-gate test coverage in #238.
Summary
The admin endpoint
GET /slices/synchronize_groups(incontrollers/slices_controller.rb) is unreachable. The earlierget '/:slice_id'route in the same namespace matchessynchronize_groupsas a:slice_idvalue, so requests are handled by the public "show a single slice" route and return404("Slice synchronize_groups not found") instead of running the sync logic. Itsadmin_only!guard never executes either.Root cause
Sinatra matches routes in definition order (first match wins). In
slices_controller.rbthe routes are declared as:get '/:slice_id'(public show) — defined firstget '/synchronize_groups'(admin sync) — defined later/slices/synchronize_groupsmatches pattern #1 (:slice_id = "synchronize_groups") before #3 is ever considered.Confirmed with an isolated Sinatra routing probe: a request to
/slices/synchronize_groupsis served by the/:slice_idhandler.Impact
Slicefor eachGroupso their ontologies stay in sync).admin_only!gate on the sync action is moot since the action can't run.Suggested fix
Define the literal route before the parameterized one (literal routes should precede
:paramroutes in a namespace):Alternatively move it under a non-colliding path. After fixing routing, verify the
admin_only!gate actually engages (add it to the gate test intest/controllers/test_admin_only_endpoints.rb).Notes
Discovered while adding admin-gate test coverage in #238.