[GET] /admissions/file-review/file/rubric-score/delete/{id}

  • file and rubric-score are singular. However, they should be plural, because this URI is referring to a set of rubric scores associated with a particular file.

  • file-review is not a resource. It is a namespace, so this is okay. But multiple nested namespaces like /admissions/file-review/file-approval/... is a bad practice.

  • The wrong HTTP method is being used. The endpoint deletes rubric scores, but the HTTP method is GET.

  • The actual verb "delete" is in the route, which should instead be captured by the HTTP method.

This particular URI is also an example of a Cross-site Request Forgery (XSRF) vulnerability. An attacker can insert the URL in an <img> tag, put it on a external website, and a logged-in user would then unknowingly trigger the rubric score to be deleted.

Last updated