如何建模资源的数据限制可见? [英] How to model restrictions on data visible on resources?
问题描述
如何建模资源的数据限制可见?不同的人访问,但有不同的角色相同的资源,使他们不能看到所有的信息。
How to model restrictions on data visible on resources? Different people are accessing the same resources but with different roles so they are not allowed to see all the information.
的情况下,我工作:结果
无访问限制的解决方案的信息:
The case I am working on:
Solution without access restriction on information:
User:
name
phoneNumber
如果任何人都可以访问它,这将是很容易建模为:
If anyone could access it this would be easy to model as:
GET /User -> [{name:"John", phoneNumber: "322-333"}]
GET /User/{id} -> {name:"John", phoneNumber: "322-333"}
不过,说我有两个角色,管理员和用户。该phoneNumber的只能是谁也管理员用户可见。授权令牌是一个cookie,头或类似的传输。服务器将知道请求有哪些角色。如何将一个设计的API来处理呢?我有几个想法:
However, say I have two roles, admin and user. The phoneNumber must only be visible to users who are also admins. Authorization token is transmitted in a cookie, header or similar. The server will know which roles a requester has. How would one design an API to handle this? I have a couple of ideas:
1)的幼稚的解决办法是只过滤它,离开字段未设置,如果你的arent允许访问它即
1) The naive solution would be to just filter it and leave the fields unset if you arent allowed to access it ie.
If user: GET /User -> [{name:"John"}]
If admin: GET /User -> [{name:"John", phoneNumber: "322-333"}]
2)嵌入在URL中的角色:
2) Embed the role in the url:
If user is wanted as a User: GET /User/User -> [{name:"John"}]
If user is wanted as an Admin: GET /Admin/User -> [{name:"John", phoneNumber: "322-333"}]
3)定义一个新的资源为字段的每个可能子集:
3) Define a new resource for each possible subset of fields:
If user is wanted as a User: GET /PublicUserInfo -> [{name:"John"}]
If user is wanted as an Admin: GET /FullUserInfo -> [{name:"John", phoneNumber: "322-333"}]
会采用不同的方法更好?结果
有没有人有一个解决方案的经验,在实践中摸索出?
Would a different approach be better ?
Does anyone have experience with a solution that worked out in practice?
推荐答案
基于经过验证的用户使用选项1。如果您选择2或3的客户端实现你的API有大约两倍担心,因为任何API端点和时,他们应该被使用。
Use option 1 based on the authenticated user. If you opt for 2 or 3 clients implementing your API have to worry about twice as any API endpoints and when they should be used.
这篇关于如何建模资源的数据限制可见?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
