堆栈内存溢出
  简体   繁体   English

如果用户无权访问某些请求的资源,那么使用标识符作为查询参数的 GET 调用的 REST 响应应该是什么?

[英]What should be REST response for GET call with identifiers as the query parameter if user does not have access to some of the requested resources?

 原文  2021-06-30 02:10:21       rest

问题描述

I am designing a REST API, where the user can place a GET call and fetch a list of items.我正在设计一个 REST API,用户可以在其中进行 GET 调用并获取项目列表。

One of the query parameters that this API is allowing is also ids , a comma-separated list of identifiers that should be fetched.此 API 允许的查询参数之一也是ids ,即应获取的以逗号分隔的标识符列表。

This is an ability to filter items based on the known ids of resources.这是一种基于资源的已知 id 过滤项目的能力。

GET /entities?ids=1,2,3

Now, there is also an authorization framework in this mix that provides an answer of what resources the user actually has access to.现在,在这个组合中还有一个授权框架,它提供了用户实际可以访问哪些资源的答案。

So, say from the list of requested ids: 1,2,3 the user has access only to 1 and 3 .因此,从请求的 id 列表中说: 1,2,3用户只能访问13 They are not allowed to access a resource with id 2 .他们不允许访问 id 为2的资源。

What should be the REST response in this case?在这种情况下,REST 响应应该是什么?

Should I ignore the fact the user is asking for the forbidden resource and return 200 with the body containing items with ids 1 and 3 ?我是否应该忽略用户请求禁用资源的事实并返回200 ,其中包含 ID 为13项目的正文?

Or, maybe, return 403 in this case... Opinions?或者,也许,在这种情况下返回403 ... 意见?

1 个解决方案

解决方案1
 0  2021-06-30 09:36:35

This request should fail这个请求应该失败

The client is explicitly requesting a specific resource that it doesn't have access to.客户端显式请求它无权访问的特定资源 That should not be part of the normal flow of your application, and I'd say it warrants an outright rejection.这不应该是您申请的正常流程的一部分,我认为它值得彻底拒绝。

The client may need to process the returned data, so a successful response that doesn't include the requested data should not be allowed to happen.客户端可能需要处理返回的数据,因此不应允许发生不包含请求数据的成功响应。 If you do it, your client needs to write more code to account for this outcome, raising the likelihood of bugs and breaking trust with the client.如果你这样做,你的客户需要编写更多的代码来解释这个结果,增加错误的可能性并破坏与客户的信任。 Just return an error instead.只是返回一个错误。 Your client needs to handle these in any case.无论如何,您的客户都需要处理这些问题。

My choice would be a 403 response with a message that informs the client why the request failed and includes steps to correct the issue.我的选择是 403 响应,其中包含一条消息,通知客户端请求失败的原因,并包括纠正问题的步骤。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 修改 REST API 响应以仅包含查询参数中请求的字段 - Modify REST API response to only include fields requested in query parameter 有哪些方法可以返回用户有权使用 REST API 访问的资源子集? - What are some methods for returning a subset of resources user is authorized to access with a REST API? Rest API Hateoas:API 响应应该将标识符作为硬编码还是作为占位符? - Rest API Hateoas : Should API response have identifiers as hard coded or as placeholders? 如果请求的字段不存在,则正确的 REST 响应 - Proper REST response if a requested field does not exist 当属性在 REST api 中没有值时应该返回什么? - What should be returned when a property does not have a value in a REST api? REST API具有“必需”响应属性是什么意思? - What does it mean for a REST API to have a `required` response property? REST服务中的资源应该是什么样的? - What should resources in a REST service be like? 在 REST API 响应中返回指向资源位置的 URL 允许什么? - What does returning URLs in a REST API response pointing to the location of resources allow for? 当提供无效的查询参数时,REST API是否应返回4xx响应? - Should a REST API return a 4xx response when an invalid query parameter is supplied? 我是否应该在REST API响应中包括URL或资源ID? - Should I include URLs or Ids of resources in REST API response?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM