Are there any best practices for exposing resource permissions/ACL to a front end via a RESTful API? Are there any best practices for exposing resource permissions/ACL to a front end via a RESTful API? symfony symfony

Are there any best practices for exposing resource permissions/ACL to a front end via a RESTful API?


rest symfony restful-architecture

In a purely RESTful scenario, the client wouldn't manage an ACL at all. Rather, as the client requests information, returned resources would include links from those resources to possible links the client could follow. That way the server is telling the client what can and cannot be done with the given resource (specific to who is requesting it).

Example: your JS client retrieves a JSON payload for an item which has been purchased but has not yet been shipped. The client might receive a payload that looks like this:

{  "name": "Gadget 1",  "price": "16.99",  "status": "ORDERED",  "_links": {    "details": { "href": "/item/a631723d69/details",                 "method": "GET"),    "cancel-shipment": {  "href": "/item/a631723d69",                 "method": "DELETE" }  }}

Because the server returned the cancel-shipment link relation, it means that the item in the order is allowed to be cancelled at the present moment. But imagine what the resource might look like after it's shipped and the request is made several days later:

{  "name": "Gadget 1",  "price": "16.99",  "status": "SHIPPED",  "_links": {    "details": { "href": "/item/a631723d69/details",                 "method": "GET")  }}

The cancel-shipment link relation would no longer be returned from the server, because it's no longer a permissible operation (i.e., you can't cancel an order after it's been shipped).

More traditional access control can be managed in the same way (i.e., don't send the cancel-shipment link to a user who isn't authorized). Suppose the order hasn't shipped yet and your spouse can see what it is you've ordered but is not allowed to cancel it. They'd get this back:

{  "name": "Gadget 1",  "price": "16.99",  "status": "ORDERED",  "_links": {    "details": { "href": "/item/a631723d69/details",                 "method": "GET")  }}

So in summary, the links returned in each response encapsulate and represent what the requestor is authorized to do at any given moment in the system.

In any case, you must check for appropriate authorization on the server for the request being made, as you never know when someone may be hacking around with raw URLs.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last