Is it better to separate rest API routes according to permissions?

Question

I am working on a ressource that can be updated using put request to update any fields depending on the request content. I am facing an issue to manage permissions for this route. Some fields can be updated by any user. others need administration privileges. I am parsing content of the request to decide on permissions. does it make sens to separate route depending on permissions. update basic information. update some sensitive fields. update state (needs administration permission).

Answer 1

I'm not sure if you're looking for advice specific to the Django REST framework, but as I'm not familiar with it, I'll offer my thoughts on RESTful design in general.

REST is all about resources, which you can think of as a noun. Each "route" should represent a unique resource, and each resource should be represented by a single URI. Typically, that'll follow the pattern of root/collection/resource, where collection and resource may repeat. For example: http://api.halo.com/players/SomeGuy/matches/1234

In the scenario that you describe, you're making a partial update (PATCH) to that resource, where the caller may update one or more fields. Regardless of the caller, you're still intending that the same resource be updated. Because you're making changes to the same noun, RESTful convention would dictate that it be the same URI.

What I would advise would be to have a single URI that responds to the PATCH verb and accepts the changes that the caller wishes to make. During your validation of the incoming message, if you see the restricted fields specified and the caller does not have the correct permissions, then respond with an HTTP 403 (Forbidden) to signal "we know who you are, but you do not have permission to do what you're asking to do."