6

I'm curious when building a proper restful resource, what is the best action to take returning a resource based on a user's role.

For example, If User 1 calls, GET: api/Users/1 That user should get the base user object (first name, last name, email) along with proprietary information like SSN. But if User 2 calls, GET: api/Users/1 That user should get the base user object along with maybe their mutual friends they share.

Is this something that is advocated in a restful resource, or would be easier to separate these concerns into something more specific, like api/Users/1/sensitive, and api/Users/1/Friends?

If the former is acceptable, would this be something manageable through inheritance?

Thanks!

Matthew Hartz
  • 271
  • 3
  • 14
  • You can use authentication with API calls to decide what information to share and with whom. HTTP Basic Auth!! https://stackoverflow.com/questions/7999295/rest-api-authentication – Riya May 27 '17 at 19:48
  • @Riya Everyone who can communicate with my APIs are authenticated. I can then check if the caller who is calling the API is the user being requested. At that point is it best to return a whole different object if they are or aren't the user, or just hide particular properties? – Matthew Hartz May 27 '17 at 20:13
  • Return the same object with less/different properties, if that answers your question. – Riya May 27 '17 at 20:19

1 Answers1

5

Hopefully you've made progress since you asked this question.

I will rephrase the statement made in this SO answer: It is perfectly under the ambit of REST to return different representations of the same resource based on constraints such as: Accept header: (e.g. different format like application/json or application/xml) Authorization: i.e. based on what the caller is "authorized" to see.

The only mandate from REST is that the URI for a resource must be the same. So, consider: /api/User/1 as the URI for the User resource with ID of 1: Perfectly fine per REST

Whereas:

/api/User/1/private

/api/User/1/public

Isn't RESTful as it provides two URIs for the same resource.

Sudhanshu Mishra
  • 6,523
  • 2
  • 59
  • 76