[英]What should be REST response for GET call with identifiers as the query parameter if user does not have access to some of the requested resources?
I am designing a REST API, where the user can place a GET call and fetch a list of items.我正在设计一个 REST API,用户可以在其中进行 GET 调用并获取项目列表。
One of the query parameters that this API is allowing is also ids
, a comma-separated list of identifiers that should be fetched.此 API 允许的查询参数之一也是
ids
,即应获取的以逗号分隔的标识符列表。
This is an ability to filter items based on the known ids of resources.这是一种基于资源的已知 id 过滤项目的能力。
GET /entities?ids=1,2,3
Now, there is also an authorization framework in this mix that provides an answer of what resources the user actually has access to.现在,在这个组合中还有一个授权框架,它提供了用户实际可以访问哪些资源的答案。
So, say from the list of requested ids: 1,2,3
the user has access only to 1
and 3
.因此,从请求的 id 列表中说:
1,2,3
用户只能访问1
和3
。 They are not allowed to access a resource with id 2
.他们不允许访问 id 为
2
的资源。
What should be the REST response in this case?在这种情况下,REST 响应应该是什么?
Should I ignore the fact the user is asking for the forbidden resource and return 200
with the body containing items with ids 1
and 3
?我是否应该忽略用户请求禁用资源的事实并返回
200
,其中包含 ID 为1
和3
项目的正文?
Or, maybe, return 403
in this case... Opinions?或者,也许,在这种情况下返回
403
... 意见?
The client is explicitly requesting a specific resource that it doesn't have access to.客户端显式请求它无权访问的特定资源。 That should not be part of the normal flow of your application, and I'd say it warrants an outright rejection.
这不应该是您申请的正常流程的一部分,我认为它值得彻底拒绝。
The client may need to process the returned data, so a successful response that doesn't include the requested data should not be allowed to happen.客户端可能需要处理返回的数据,因此不应允许发生不包含请求数据的成功响应。 If you do it, your client needs to write more code to account for this outcome, raising the likelihood of bugs and breaking trust with the client.
如果你这样做,你的客户需要编写更多的代码来解释这个结果,增加错误的可能性并破坏与客户的信任。 Just return an error instead.
只是返回一个错误。 Your client needs to handle these in any case.
无论如何,您的客户都需要处理这些问题。
My choice would be a 403 response with a message that informs the client why the request failed and includes steps to correct the issue.我的选择是 403 响应,其中包含一条消息,通知客户端请求失败的原因,并包括纠正问题的步骤。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.