Hacker News new | ask | show | jobs
by config_yml 178 days ago
> GIDs are not checked for authorization when doing the lookup - they are meant to be generated above the authorization layer, and to be consumed above the authorization layer

Then the problem with this post boils down to applying the authorization layer in any tool call, just like you do in controllers. Seems obvious?
1 comments
jeremy_k 178 days ago
Agreed. Seems like the author tried to get fancy using GIDs with LLMs to cut down on the logic in their tool calls and opened a can of worms.
link