0

Let's suppose I have an Group of users and I want to add/delete users from the group. What I am confused about is what will be the best practice to design the urls. Here are the options

OPTION # 1

POST /groups/{groupId}/users -- The request body will contain the userId DELETE /groups/{groupId}/users/{userId} -- The userId will be in the path and the request body will be empty

OPTION # 2

DELETE /groups/{groupId}/users -- The request body will contain the userId POST /groups/{groupId}/users/{userId} -- The userId will be in the path and the request body will be empty

I believe both the answers are correct and I am guessing there is no right or wrong answer here, just personal preference.But I would like to know what is used wide-spread. I have been using OPTION # 1 because I read in some book (the name escapes me) that the data you are POSTing shouldn't be a part of the url while using DELETE there is no such best-practice restraint.

All inputs appreciated !

Shiva
  • 20,575
  • 14
  • 82
  • 112
shahshi15
  • 2,772
  • 2
  • 20
  • 24

2 Answers2

3

The first option is the most common, but that means nothing, since misconceptions about REST are widespread. As a matter of fact, #1 isn't REST at all, it's RPC pure and simple.

Adding a member to the collection can be done either through a POST to the collection /groups/{groupId}/users, with the location of the created resource returned in the Location response header, or through a PUT request to the final location /groups/{groupId}/users/{userId}. The POST should return a 201 Created response, and the PUT either that or 200 OK, if the resource already existed and was replaced by the new one.

To delete, the correct way is to use DELETE /groups/{groupId}/users/{userId}. It's not a matter of personal preference. POST is a method you use for operations that aren't standardized by the HTTP protocol. Simple deletion is standardized through the DELETE method. Implementing it through the POST method simply means you'll have to document that functionality, instead of relying on the standard itself. You'd use POST only if you are doing something fancy during the deletion, something that already requires the functionality to be documented.

Pedro Werneck
  • 40,902
  • 7
  • 64
  • 85
0

The option 1 seems to be the most common one. I don't have the feeling that the option 2 is valid at all!

Onasus
  • 240
  • 1
  • 8
  • thanks for the input! Do you think option # 1 is still valid even though the only content in the request body is the user's id? – shahshi15 Jan 23 '14 at 19:57
  • you don't need to put anything in the request body when sending a `DELETE` request, since the request URI already contains the `userId`. Only `POST` and `PUT` request should have a request body. – Xavier Coulon Jan 23 '14 at 20:39
  • 1
    @xmenymenzmen You are not allowed by the HTTPbis spec to use the body of DELETE request. http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-25#page-29 – Darrel Miller Jan 24 '14 at 05:31
  • Being the most common doesn't mean it's correct. Option #2 is valid and correct. – Pedro Werneck Jan 24 '14 at 22:21