在 RESTful 响应中排除私有数据 [英] Excluding private data in RESTful response

问题描述

如果请求的用户不应该看到所有数据，那么在 RESTful 响应中排除某些字段/数据的最佳做法是什么?

What is the best practice for excluding certain fields/data in a RESTful response if the user requesting it shouldn't be able to see all of the data?

示例:

人有名字、姓氏和出生日期.

经过身份验证和未经身份验证的用户都可以向/people.xml 发出 RESTful 请求以获取完整的人员列表.但是，只有经过身份验证的用户才能查看所有信息.未经身份验证的用户应该只返回名字和姓氏字段(不包括出生日期数据).

Both authenticated and non-authenticated users can make RESTful requests to /people.xml to get a full list of people. However, only authenticated users should be able to view all of the information. Non-authenticated users should only have the First and Last Name fields returned (excluding the Date Of Birth data).

Person 控制器是否应该在构建响应之前检查身份验证?如果用户通过身份验证，他们会得到一切，否则他们只会得到一个子集?这是否违反了 REST 的任何规则，其中/people.xml 可以发送两个单独的结果?

Should the Person controller check for authentication before building the response? If user is authenticated they get everything, else they only get a subset? Does that break any rules of REST where /people.xml can send two separate results?

推荐答案

不，没关系.它是相同的资源，但基于身份验证信息具有不同的表示形式.您还可以根据 Accept 标头包含的内容提供不同的版本(顺便说一下，您应该使用那个而不是像 .xml 这样的文件扩展名)，或者您可以提供不同的语言版本，或者您可以在记录的情况下呈现不同的页面在用户中定义了特定的个性化选项.这都是合法的.考虑一个有登录框的网站.如果您已登录，页面将有所不同.这是同一件事，只是它本身并没有特别影响所附信息.在这些情况下控制缓存等正是 Cache-Control、Vary 和朋友的用途.另见 http://www.subbu.org/blog/2007/12/vary-header-for-restful-applications

No, that's fine. It's the same resource, but with a different representations based on the authentication information. You could also serve different versions depending on what the Accept header contained (you should use that one instead of file extensions like .xml, by the way), or you could serve different language versions, or you could render the page different if the logged in user has specific personalization options defined. It's all legal. Consider a website that has a login box. If you're logged in, the page will be different. That's the same thing, except it doesn't specifically affect the enclosed information per se. Controlling caching and so forth in these cases is exactly what Cache-Control, Vary and friends are for. Also see http://www.subbu.org/blog/2007/12/vary-header-for-restful-applications

这篇关于在 RESTful 响应中排除私有数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！