Reputation: 6645
API Design: How do I handle the following case involing user rights/role management
I am designing a Web API and it is fairly in its most basic stage.
Every user in my system can have one or more roles. (Example User and Administrator).
The API itself is designed as modules and methods for example I have a module User under which have following methods
USER
- get_friends_of
- get_profile_pic_url
Now, in my user role management code each of these methods is a "Right". These rights are assigned to one or more roles for example the two Roles look like
user_role = ['get_profile_pic_url'] administrator_role = ['get_profile_pic_url','get_friends_of']
So whenever a user tries to invoke a method I see if any of his roles have this method mentioned as a right. If yes it is invoked else it is not.
This works like butter except in the following case.
User X does not have right to invoke 'get_friends_of' generally but I want to allow him to invoke that method whenever he is trying to fetch his own friends.
For example get_friends_of(X) is allowed but get_friends_of(y) will be denied.
My question is how I can incorporate these cases in my design ?
One immediate solution might be that I introduce "get_my_friends" method but then it increases the size of my API, I have to write more documentation and go to see its actually just a special case of "get_friends_of". Also it is not extensible in a sense I might want to allow the user to see friends of friends.
One of the design Goals in my API is that each method call you be mutually exclusive.
Upvotes: 1
Views: 123
Answers (2)
Reputation: 701
The way your authorisation works... you have - user -- > Roles - Roles -- > Rights (function name)
If you implement what you are trying to do.... you would make it: - Roles -- > Rights (function name + specific parameter value).
This does not feel right. You can have rights based on function name and param value but then your entire authorisation logic will have too much logic... it will get very complicated to maintain.
I suggest you do what you said.... create a new function get_my_friends()
Upvotes: 1
Reputation: 7135
It seems to me that your User module is being used in two different ways - to represent individual User entities (the get_my_friends and get_profile_pic_url cases) and to provide general user-related access (the get_friends_of case). You might want to consider separating these, perhaps into a User and a UserRepository, where the former represent a real-world User who has friends and a profile picture URL, and the latter provides generic access to Users.
The following are some links explaining more about the concepts you're encountering:
Upvotes: 0
Related Questions
- REST API design: one endpoint with if/else logic or two separate role based endpoints
- Suggest design pattern for an application having different user roles
- REST API pattern for this usecase
- Restful API design: how should user's and authority's endpoints be?
- REST with complex permissions over resources
- Design pattern for permissions
- Patterns for role-based behaviour
- Designing a User Access/Permissions class
- How to design an API for different users and levels of control?
- Patterns / design suggestions for permission handling