Patrizio Rullo Patrizio Rullo - 2 months ago 21
reST (reStructuredText) Question

RESTful API best practices for admin and normal user access

Having to create a RESTful web service with admin and normal user access to resources (lets say cars), I would like to structure the Uri for the users as:

http://myhost/users/5/cars/2


But as admin user, I would like to access all cars like:

http://myhost/cars/51


Instead of the first I proposed, would you think that it's better to use just one Uri for cars, using filters for users, like:

http://myhost/cars/?user=5


To don't have 2 different Uris for the same resource? Do you have other suggestions?

Answer

Both of the following URLs are good, even for admin even for plain users. Auth-token should be in the HTTP session, so the server should be able to detect if the requester is admin or not.

http://myhost/cars returns a collection of cars. It's recommended that returned cars are filtered based on authorization. If I'm an admin I can see all cars. If I'm user #5 then probably I can see only my car. So both admin and plain user can use the same URL.

In the case of http://myhost/cars/?user=5 an explicit filter is applied where I'm interested in car for User #5 even if I'm somebody else. Probably I get an empty list because I'm not authorized to see any item. This URL is also OK.

http://myhost/cars/51 means that I want to access car #51 directly. Doesn't matter if I'm admin or not. Probably I'll get a 4XX message (what is XX is another debate) if I'm not authorized to see this entity.