0

In current project I have Roles and Permissions. Obviously, Permissions can be assigned to Roles.

To assign a bulk of Permissions to a Role with id 1, I use the following method:

POST /roles/1/permissions (RequestBody: List of permissions)

In the same way, I would remove a bulk of permissions at once:

DELETE /roles/1/permissions (RequestBody: List of permissions)

(I'm not sure if this is valid at all, as a DELETE request should not contain a request body.)

Now I would like to have a way to clear all permissions of a role. Logically I would use:

DELETE /roles/1/permissions

But this seems to interfere with the way I remove a bulk of permissions. Or is the nonexistent of a request body already enough to distinct two methods?

Herr Derb
  • 4,977
  • 5
  • 34
  • 62
  • Concerning "DELETE with a body", there is a fierce discussion to know if it is is allowed or not: https://stackoverflow.com/questions/299628/is-an-entity-body-allowed-for-an-http-delete-request – Aurélien Bénel Oct 19 '17 at 08:51

2 Answers2

1

Please note that both the referenced question by @Aurélien as well as the answer given by @jurez are based on RFC 2616, which is obsolete since RFC 7231. RFC 7231 states the following in regards to a DELETE payload:

A payload within a DELETE request message has no defined semantics; sending a payload body on a DELETE request might cause some existing implementations to reject the request.

The usage of a DELETE payload is thus not recommended if you want to be compliant to RESTful architecture.

You have though a couple of options left:

  • PUT with the set of permissions that should be available after the operation was performed (due to the semantics of PUT which simply replaces the current obtainable state with the state provided in the payload)
  • PATCH containing a payload that instructs the server on how to remove the unwanted permissions. Note the transaction requirement on this operation. Either the operation is applied completely or not at all!
  • POST with some parameters the server can use to learn that some permissions need to be removed (i.e. by using a query string like /roles/1/permissions?remove=PROMOTE_USERS,CLOSE_TOPIC). Note that this approach only works if the number of characters forming the URI is not exceeding a certain client/framework dependent limit. For the given scenario however it is unlikely that you will exceed this.
Community
  • 1
  • 1
Roman Vottner
  • 12,213
  • 5
  • 46
  • 63
  • Could I use the approach `/roles/1/permissions?remove=1,2,3` also this way? `DELETE /roles/1/permissions?id=1,2,3` – Herr Derb Oct 30 '17 at 13:05
  • It depends on the semantic you try to cover. If you want to achive a [force-delete](https://stackoverflow.com/questions/2539394/rest-http-delete-and-parameters) somehow, invoking `DELETE` with `someResource?forceDelete=true` may contradict the `uniform identifier` constraint RESTful architecture enforces, while [applying a filter before deletion](https://stackoverflow.com/questions/34939484/in-rest-api-can-delete-methods-have-parameters) (as probably asked in your comment) does neither interfer with the HTTP spec nor with any constrains a RESTful architecture has. – Roman Vottner Oct 30 '17 at 13:45
  • Yes my intention is use query parameters to filter the delete request. I guess that's the way I'll go then. Thanks a lot. – Herr Derb Oct 30 '17 at 13:54
0

Absence of request body should not be used to distinguish between HTTP methods. In practice, you could get away with it, but you'll have a hidden compatibility issue. You should follow HTTP specification, which mandates the use of HTTP method:

The Host request-header field (section 14.23) MUST accompany all HTTP/1.1 requests.

jurez
  • 4,436
  • 2
  • 12
  • 20