2

Two scenarios:

Scenario 1 - Redacting information on a resource

Let's say I've got a User resource

id: string; 
username: string; 
address: string;

For privileged users they may see:

id: "1", 
username: "bobby", 
address: "123 Foo Lane"

However for less-privledged users, they see:

id: "1", 
username: "bobby", 
address: "<REDACTED>";

Is this RESTful or no?

Scenario 2 - Attaching user specific meta data to a resource

For example we have a Widget resource, which has raw data of the shape:

id: string; 
name: string;

But the response also returns access permissions information to the response, for example an admin user might see:

{
 data: {
 id: "1", 
 name: "foo",
 }, 
 _accessControl {
 canDelete: true, 
 canEdit: true
 }
}

While and ordinary user sees:

{
 data: {
 id: "1", 
 name: "foo",
 }, 
 _accessControl {
 canDelete: false, 
 canEdit: false
 }
}

The reason we might want to do this, is to change frontend behaviour in regards to this resource (eg not showing a delete button if the user can't delete the resource).

Is this RESTfuL? How else might the server hint at the access permissions for the resource?

(FWIW - if using ACL based permissioning - you could have an acl attribute on the resource, and client works out themselves whether they can edit the resource or not. However let's assume that's too costly for the the client to do).

This answer here appears to suggest something similar - is the convention of prefixing an attribute with an underscore to denote that 'this is user specific' an inherently RESTful concept?

asked May 6, 2022 at 1:10
8
  • My scenario 1 appears to be a duplicate of this question: softwareengineering.stackexchange.com/questions/438401/… Commented May 6, 2022 at 1:23
  • Returning different content is perfectly fine as long as your server also returns a Vary header to prevent inappropriate caching. Commented May 6, 2022 at 6:25
  • It's your system and you define the rules ;) But I would not send access control information alongside data. I would pass this information with user information after login, say {"firstName": "John", "lastName":"Doe", "acl":[ $whatever]} Commented May 6, 2022 at 7:26
  • Perhaps I'm in ignorance of something, but in what way are you concerned your scenario would violate any RESTful principles? Commented May 6, 2022 at 15:32
  • @Hawkeye What I was wondering if if something to be RESTful - it needed to look the same to all consumers of it. Commented May 7, 2022 at 3:39

1 Answer 1

2

Scenario 1

Yes, that is RESTful. There's a User resource, different clients can get different Representation of the object, nothing is wrong with that. What can make it not RESTful is how the request was made? E.g. do you use Authentication header or "session"?

Scenario 2

Not quite. Instead of returning some ACL permission object which interpretation specific to a client, you want to return hypertext links that allows client to manipulate the resource. This is easier to illustrate with a webpage that has an Edit link that takes the users to a page form they can fill and a Save button so they POST their changes.

Non-browser clients can do more than GET and POST requests, that's why the links are represented that way, i.e. href and method, so clients can do e.g. PUT requests.

The underscore prefixing _links is not RESTful, REST is an architectural style, not a set of rules that need to be followed. I believe links come from JSON-HAL and the underscore is to identify reserved properties.

answered May 6, 2022 at 2:39

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.