What is best practice for resource authorisation. Lets say I have:

route("/item/{item_id}") {
    get { ... }
    delete { ... }
    put { ... }
    get("/subitem/{subitem}") {
       ...
    }
  }

I am needed restrict access for whole

/item/{item_id}