fix(policy): handle unmapped HTTP methods in methodToAction (HEAD, OPTIONS)

## Context

Raised by Copilot review on #3134.

## Problem

`lib/middlewares/policy.js` maps HTTP methods to CASL actions:

```js
const methodToAction = {
  get: 'read', post: 'create', put: 'update', patch: 'update', delete: 'delete',
};
```

`HEAD` and `OPTIONS` are not mapped. When such a request hits `policy.isAllowed`, `action` resolves to `undefined` and is passed to `ability.can(undefined, subject)`, which can produce incorrect authorization decisions or a runtime error depending on CASL's input validation.

## Fix

Add explicit mappings for unmapped methods:

```js
const methodToAction = {
  get: 'read', post: 'create', put: 'update', patch: 'update', delete: 'delete',
  head: 'read', options: 'read',
};
```

Or add a fallback that denies unknown methods by default.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(policy): handle unmapped HTTP methods in methodToAction (HEAD, OPTIONS) #3137

Context

Problem

Fix

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Uh oh!

fix(policy): handle unmapped HTTP methods in methodToAction (HEAD, OPTIONS) #3137

Description

Context

Problem

Fix

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions