不同身份验证用户的相同资源的不同 REST 表示 [英] Different REST representations of same resource for different authenticated users

问题描述

我有一个类似这样的简单资源:

I have a simple resource something like this:

/api/{configuration}/exhibitors/{id}

/api/{configuration}/exhibitors/{id}

这通常是一个公共 API，具体取决于 URL 配置部分的设置.

This is generally a public API depending on the setup of the configuration part of the URL.

它可能会将此返回给未经身份验证的用户:

It might return this to a non authenticated user:

{ "a" : "some value", "b" : "other value" }

但如果管理员已登录并想要获取此资源，他们会期望同一资源上的数据略有不同:

But if an administrator was logged in and wanted to get this resource, they'd expect some slightly different data on that same resource:

{ "a" : "some value", "C" : "admin only value" }

我是否应该检测此管理员权限并从同一个 URL 返回不同的内容?

Should I be detecting this admin authority and just return different content from the same URL?

或者我应该有一个新的 URL 来标识它是为谁而写的，并且内容可能会有所不同?

Or should I have a new URL that identifies who it is for and that the content might be different?

/api/admin/{configuration}/exhibitors/{id}

/api/admin/{configuration}/exhibitors/{id}

我的想法是我不喜欢额外的 URL，但如果我不根据用户更改内容，我将更容易缓存公共内容.

My thinking is that I don't like the extra URLs, but I'll more easily be able to cache the public content if I do not potentially change the content depending on the user.

admin 调用没有理由无法获得资源的完整公共版本以及额外的仅 admin 字段，但在我的示例中他们可能实际上不需要字段b"，所以我宁愿管理员表示稍微轻一点.

There is no reason that the admin call can't get the full public version of the resource plus the additional admin only fields, but they probably don't actually need field "b" in my example, so I'd rather the admin representation was a bit lighter.

推荐答案

根据情况，两种选择都是可行的.正如您所提到的，允许表示形式的变化会使缓存变得困难.但是，支持不同的资源会产生额外的开销.理想情况下，您的服务器端框架可以轻松创建额外资源，因此开销应该最小.

Depending on the situation, both options are viable. As you mention, allowing variations in the representations will make caching difficult. However, there is extra overhead in supporting different resources. Ideally your server side framework makes it easy to create additional resources, so the overhead should be minimal.

另一个选项是返回公共版本并提供一个指向资源的嵌入超链接，该超链接仅包含附加的仅限管理员"属性.如果您的客户可以轻松处理超媒体，那将成为一个相当灵活的选择.

The other option is return the public version and provide an embedded hyperlink to a resource that contains just the additional "admin-only" properties. If your clients can deal easily with hypermedia, that becomes a fairly flexible option.

这篇关于不同身份验证用户的相同资源的不同 REST 表示的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！