Reputation: 1029
Best practices for REST resource's property level permissions
Imagine, you have resource such resource returned by REST API at /api/catalogs/1:
{
items: ['item1', 'item2'],
details: ['1', '2', '3']
}
Imagine, you want to restrict access to some response fields for some users. For example restrict access to details field.
Question: which response format is the best in this case?
Option 1 - omit field.
{
items: ['item1', 'item2']
}
Option 2 - return nulled field.
{
items: ['item1', 'item2'],
details: null
}
Any another options?
Upvotes: 0
Views: 76
Answers (2)
Reputation: 130857
It depends on your needs.
But if the API consumer shouldn't know about the existence of a particular property (or don't have access to it), it makes more sense to omit it rather than returning null values (once it may cause misunderstanding on the API consumer).
Upvotes: 1
Reputation: 151
I think you should avoid to display that details exist unleast it serve a real purpose for consumers. So ommit that field.
Upvotes: 1
Related Questions
- REST Security Design good practice when exposing resources ID
- Permissions on nested REST API resources that I decided to flatten
- How should a RESTful service expose read-only properties on mutable resources?
- Permissions to a nested resource in REST API
- Property/Field level security with REST API
- REST API resource structure where there are multiple "owners"
- What is a REST-conform approach to handle user based resource access?
- Designing resource permission priority for RESTful
- REST with complex permissions over resources
- Are there any best practices for exposing resource permissions/ACL to a front end via a RESTful API?