Restrict CRUD in REST API to owner
Question
My api has this routes defined:
GET test.com/api/v1/users
POST test.com/api/v1/users
PUT test.com/api/v1/users/{id}
GET test.com/api/v1/users/{id}
DELETE test.com/api/v1/users/{id}
Also, i'm using OAuth2 Password authentication so these resources are only available once authenticated.
My point is.. keeping RESTFULL API principles, how should I aproach limiting PUT AND DELETE methods to the actual resource owner?
Basically I don't want anybody except the owner to be able to edit his information.
2 answers
solution1
2 ACCPTED 2015-03-23 12:24:36
You have implemented the authentication part of your system, meaning your application knows who the users are. Now you need to devise an authorization sub-system, meaning what your users have access to.
As your question is tagged PHP and Laravel, a quick Google search for laravel authorization brings results such as this:
https://github.com/machuga/authority-l4
or
http://laravel.io/forum/02-03-2014-authority-controller-authorization-library-cancan-port
This should be a good starting point.
solution2
1 2015-03-23 12:15:49
This is usually solved by appending a custom header, with a secret message, identifying the request as valid . I do not have any source on this I'm afraid.
Usually headers beginning with an X - discarding them from being parsed by other parties. X-Your-Secret for example.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.