Require `list_id` in SubscriptionsController#find_all()
We discussed previously that we accept only a filter as optional argument to SubscriptionsController#list_id()
. While looking at the authorizer policies I came to the conclusion that we do need the list_id
in order to properly authorize the action: currently that find_all
asks for Subscription, :list
— but in order to check if subscribers may see the list of subscriptions we must know which list the request is about (ask the authorizer for list, :list_subscriptions
), and therefore we need the list_id as argument to the method.