Comment by otikik
1 day ago
If you don't want invoice 22 to be shown by someone putting 22 on the url, you definetly need to enforce permissions on your app. The Global ID issue is tangential to that.
1 day ago
If you don't want invoice 22 to be shown by someone putting 22 on the url, you definetly need to enforce permissions on your app. The Global ID issue is tangential to that.
Sure but the real concern of the article that if passed "gid://moneymaker/Invoice/22ecb3fd-5e25-462c-ad2b-cafed9435d16" the global id locator will effectively locate "gid://moneymaker/Invoice/22". Which is to say, that what is supposed to be a system-generated id which has no need for de-slugification, uses the same lookup method as is normally used for URLs which attempts to de-slugify.
Obviously, this means that first gid was bogus anyway, as it was trying to look up via the wrong key, but the fact that it doesn't fail, and will instead return the record with primary key "22" can certainly be surprising.
The original comment is valid though, this has nothing to do with GIDs, standard /:id/ routes, and Model.find() can suffer the same issue. Probably because "22ecb3fd-5e25-462c-ad2b-cafed9435d16".to_i is still 22?