From 32f3b803e667c98578bea6320482c4dbc3b79054 Mon Sep 17 00:00:00 2001
From: Maxim Lebedev <git@toby3d.me>
Date: Mon, 13 Nov 2023 06:37:11 +0600
Subject: [PATCH] :memo: Added comment about potentially insecure static
 routing

---
 main.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/main.go b/main.go
index 2d3446f..52bc7ca 100644
--- a/main.go
+++ b/main.go
@@ -100,6 +100,12 @@ func NewApp(ctx context.Context, config *domain.Config) (*App, error) {
 
 			lang := domain.NewLanguage(head)
 			if lang == domain.LanguageUnd {
+				// WARN(toby3d): fetch static resources from separated static directory instead of
+				// $HOME_CONTENT_DIR?
+				//
+				// Looks like what current logic is insecure, because resource from private page in
+				// content directory '/en/page/file.jpg' by lower use case execution can be accessed
+				// here by URL '/page/file.jpg'.
 				res, err := staticer.Do(r.Context(), r.URL.Path)
 				if err != nil {
 					if errors.Is(err, fs.ErrNotExist) {