Securing accessing to resource in database by specified id via restful API

Question

I have a question about design patterns. Suppose i have restful api and two tables in db:

company
---------------
id
Name
Address

and

User
----------------
Id
Login
Password
CompanyId <-FK to company

Let's suppose that user from company 1 is logged in, and want get user data by id, but specified ID has Company Id different than logged in user.

for example:

1) myapi.com/api/getuser/1 -> user id 1 has the same company as logged in user

2) myapi.com/api/getuser/2 -> user id 2 has different company as logged in user (should be unaccessible for logged in user)

Of course above example is trivial, I asking about more complicated (general) cases, where many tables are in cascade relations.

Do you have any experience with above problem?

Answer 1

This is called tenancy. Principal A is only allowed to view data for other users in Company A. Principal A should not be able to see Company B's user data, and Principal B should not be able to view data for users in Company A. When you have security rules like this that need to be enforced, you are dealing with a multitenant system.

When you have "multiple tables in cascade relations" as you call it, each of those other sets of data should be traceable to a tenancy. You will need to figure out what that tenancy is, and what company / companies the Principal is authorized for. If they don't match, your API should return a 403 Forbidden response.