When authorizing access to a resource from a REST endpoint do I need to verify authorization and ownership for the entire path, or just the end resource being requested? I.E.
/companies/12/employees/209/posts/5
so the resource being accessed is post #5, so do I need to verify that employee 209 is the author of post #5 and that the employee belongs to company #12 if the person making the request has access to post #5? It seems this could get out of hand pretty quick if the entire URL path is to be verified.
For the API, a specific post is identified by the URL, not the number at the end of the URL. Your API should treat these as two different things:
/companies/12/employees/209/posts/5
/companies/11/employees/209/posts/5
It's fine if your back-end pulls semantic meaning from them, but you should definitely not say "well, this last part is the unique id for the post, so I'm just going to ignore the rest of the URL". Most people using a nested structure like you are would allow for multiple posts with the id 5, one for each employee of each company.
Knowing nothing about your API, that example looks an awful lot like it should be three separate top-level endpoints, one each for /companies, /employees, and /posts. Look to minimize hierarchies when possible.