Databases
StackOverflow2013
Postsdbo
POHow to model restrictions on data visible on resources?
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POHow to model restrictions on data visible on resources?
    text
    copied!<p>How to model restrictions on data visible on resources? Different people are accessing the same resources but with different roles so they are not allowed to see all the information.</p> <p>The case I am working on:<br> Solution without access restriction on information:</p> <pre><code>User: name phoneNumber </code></pre> <p>If anyone could access it this would be easy to model as:</p> <pre><code>GET /User -&gt; [{name:"John", phoneNumber: "322-333"}] GET /User/{id} -&gt; {name:"John", phoneNumber: "322-333"} </code></pre> <p>However, say I have two roles, admin and user. The phoneNumber must only be visible to users who are also admins. Authorization token is transmitted in a cookie, header or similar. The server will know which roles a requester has. How would one design an API to handle this? I have a couple of ideas:</p> <p>1) The naive solution would be to just filter it and leave the fields unset if you arent allowed to access it ie.</p> <pre><code>If user: GET /User -&gt; [{name:"John"}] If admin: GET /User -&gt; [{name:"John", phoneNumber: "322-333"}] </code></pre> <p>2) Embed the role in the url:</p> <pre><code>If user is wanted as a User: GET /User/User -&gt; [{name:"John"}] If user is wanted as an Admin: GET /Admin/User -&gt; [{name:"John", phoneNumber: "322-333"}] </code></pre> <p>3) Define a new resource for each possible subset of fields:</p> <pre><code>If user is wanted as a User: GET /PublicUserInfo -&gt; [{name:"John"}] If user is wanted as an Admin: GET /FullUserInfo -&gt; [{name:"John", phoneNumber: "322-333"}] </code></pre> <p>Would a different approach be better ?<br> Does anyone have experience with a solution that worked out in practice?</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload