2

REST APIs conventionally expose resources addressed at the object level. While it's easy to do object level permissions using the appropriate HTTP responses, handling field level permissions is a bit less clear.

Imagine the hypothetical app which exposes the user object. Publicly, you want to show some subset of the fields, for the user themself all fields should be shown.

Should the public and private versions be different endpoints, or is it reasonable to return a different set of fields depending on permissions?

asked Mar 6, 2015 at 19:27

1 Answer 1

2

A resource is a resource. The resource doesn't change simply because the permissions change. What you can do with the resource or what you can know about the resource might change, but the mapping of the resource doesn't change. If it does it becomes a different resource type. So in your description, it's conceivable that various properties would exist at any access of the user resource, but there would only be certain properties available based on the accessor's permissions. The inaccessible properties would simply be null.

answered Mar 6, 2015 at 19:36

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.