[GET] /admissions/file-review/file/rubric-score/delete/{id}

file and rubric-score are singular. However, they should be plural, because this URI is referring to a set of rubric scores associated with a particular file.
file-review is not a resource. It is a namespace, so this is okay. But multiple nested namespaces like /admissions/file-review/file-approval/... is a bad practice.
The wrong HTTP method is being used. The endpoint deletes rubric scores, but the HTTP method is GET.
The actual verb "delete" is in the route, which should instead be captured by the HTTP method.

This particular URI is also an example of a Cross-site Request Forgery (XSRF) vulnerability. An attacker can insert the URL in an <img> tag, put it on a external website, and a logged-in user would then unknowingly trigger the rubric score to be deleted.

Final Suggestion

[DELETE] /admissions/file-review/file/{file}/rubric-scores/{score_id}

More succinct because it is clear which file the score belongs to.
This allows for checking permissions to access the file.

Previous[GET] /cbe/curriculum/framework/{framework_id}/hierarchy-by-depth Next[GET] /portfolio/entries/{entry_id}/get-file

Last updated 1 year ago