3

Let’s say I have the following endpoints:

/accounts (company/business unit)
/vehicles (cars, trucks etc.)
/users (login user)

A user can have 3 different permissions: Global Admin, Account Admin and User.

If a user accesses vehicles as:

  • Global Admin: He will get all vehicles
  • Account Admin: All vehicles on the same account as himself
  • User: All his own vehicles

But if an Account Admin accesses /vehicles he might only want his own vehicles, and if a Global Admin only wants vehicles on his own related account. What then?

An example solution:
/accounts/{accountId}/vehicles (for Global Admin)
/accounts/current/vehicles (for Account Admin)
/vehicles (for User)

Or…
/accounts/{accountId}/vehicles (for Global Admin)
/vehicles/byUserAccount/{accountId} (for Account Admin)
/vehicles (for User)

Or…
/vehicles/byEntireAccount/{accountId} (for Global Admin)
/vehicles/byUserAccount/{accountId} (for Account Admin)
/vehicles (for User)

Is there any best practice or just good advice for this case?

Hope the question makes sense.

Kenny Johansen
  • 31
  • 2

2 Answers2

0

If I was to implement this, I would create only one endpoint to access vehicles (/vehicles/) and make it possible to send an optional GET param by global and account admin users to indicate what more they want. They could send either AllGlobal or AllAccount to indicate it. Sure I would also check their permission against the request in the code before returning the data.

It's so easy to implement this in tastypie.

zaadeh
  • 1,711
  • 2
  • 23
  • 37
0

You don't need to do anything about this. Just list things the actual user is allowed to see with her security level on the same endpoint, that's all...

To be more elaborate:

  • You can add the /vehicles/ which can list the vehicles the actual user is allowed to see.
  • You can add the /account/{id}/vehicles/ which can list the vehicles related to a specific user.

note: Accroding to the stateless constraint of REST, in your case you have to send enough information with every request to authenticate the user, and you cannot have a server side session storage...

Community
  • 1
  • 1
inf3rno
  • 24,976
  • 11
  • 115
  • 197
  • If I use /vehicles for both the users own vehicles and all account vehicles (if the user has access to both). Then the logic (and filtering) would have to be on the client side. That does not seem like the best solution. – Kenny Johansen Sep 09 '14 at 07:35
  • I think you misunderstood. You use `/vehicles` for the entire vehicle list, and you use `/account/{id}/vehicles` for the user's own vehicles. You filter the content of the whole vehicle list on server side depending on the permissions of the user. – inf3rno Sep 09 '14 at 12:45