What is the proper RESTful way to handle a variable response for an endpoint that is based on the type of user that accesses it?

Question

I have resource endpoints that I would like to respond differently to the user that tries to access the endpoint.

Scenario

Let us say that I have a resource endpoint /users, and the following UserTypes:

• GirlUser
• BoyUser
• Admin

When a GirlUser executes a GET on /users I want to only allow for other GirlUsers to be accessible. I would expect BoyUsers to have a similar result, and Admins to receive all users.

My Question

Is it more RESTful to:

1. Handle this with different GrantTypes or Scopes through OAuth, using the one /users endpoint.
2. Have different endpoints, such as: users/girls, users/boys, and users/all.
3. Have different APIs for the different types of users.
4. I'm totally off-base with possible answers and it's something that I don't expect.

Would anything change if I have other endpoints that I would want to only be operational for a certain UserType?

(For example, ones that process payments.)

Thank you.

Answer 1

Your endpoints should be independent of the sex of the user. What's the problem in having a common User endpoint. (You are doing it right already!!)

Though it depends on the kind of information that you want to return, the kind of resources in hand. Are you returning JSON/XML? You have a Girl and a Boy class that you work with in the backend. If a girl user hits the endpoint you serialize objects and return data to the user - that sounds okay to me.

If your UML design does not differentiate between girls/boys then you should have the same endpoint.

In order to understand the problem properly,
i) What kind of data are you returning?
ii) How have you designed the UML?
iii) Are you returning some data from a DB? Is it expensive to run all girls/all boys query on it everytime the endpoint is hit?

As for scopes, in OAuth one scope generally corresponds to one endpoint. Like in Google, G+ is a scope, google drive is a scope. We don't see G+ girls, G+ boys scopes, do we now?

In java terms, the closest match to the API design is a Factory pattern (that's how I explain it to myself, might not be technically correct) - depending on the type of user you call a specific method that returns data. The endpoint should be generic and extensible - having separate API's is indeed a bad design as it leaves little to expansion.