Api Endpoints for Members and Administrators Users

Question

I have the following resources in an API:

Company > Project > ProjectUser > User

The resources are related as follows:

1. One company has many projects;

2. ProjectUser defines Users that can access a project;

I am defining the API endpoints to get projects:

"/projects" > Get all projects that authenticated user can access        

"/companies/{companyId}/projects" > Get projects with `companyId` that authenticated user can access

I need 3 more endpoints only accessible by users that are Administrators:

1. Get all projects of all users

2. Get all projects of user with a given UserId ;

3. Get projects with companyId of user with a given UserId .

How should the 5 endpoints become?

Answer 1

In situations such as this, user-specific resources are generally prefixed with something like my , me , user , etc. For example: /my/projects and /my/companies/{companyId}/projects . This helps distinguish between general requests that simply need authentication, but not resource-filtering, such as your admin case. For admin queries, you'd hit the /projects and /companies/{companyId}/projects endpoints. You can then protect these endpoints with something like [Authorize(Roles = "Admin")] and assuming that the user is an admin, they'll receive all the projects. Whereas the my prefixed routes would simply require [Authorize] to ensure there's some authenticated user, and then would utilize resource-level authorization to return only projects belonging to that user.