I have the following resources in an API:
Company > Project > ProjectUser > User
The resources are related as follows:
One company has many projects;
ProjectUser defines Users that can access a project;
I am defining the API endpoints to get projects:
"/projects" > Get all projects that authenticated user can access
"/companies/{companyId}/projects" > Get projects with `companyId` that authenticated user can access
I need 3 more endpoints only accessible by users that are Administrators:
Get all projects of all users
Get all projects of user with a given UserId
;
Get projects with companyId
of user with a given UserId
.
How should the 5 endpoints become?
In situations such as this, user-specific resources are generally prefixed with something like my
, me
, user
, etc. For example: /my/projects
and /my/companies/{companyId}/projects
. This helps distinguish between general requests that simply need authentication, but not resource-filtering, such as your admin case. For admin queries, you'd hit the /projects
and /companies/{companyId}/projects
endpoints. You can then protect these endpoints with something like [Authorize(Roles = "Admin")]
and assuming that the user is an admin, they'll receive all the projects. Whereas the my
prefixed routes would simply require [Authorize]
to ensure there's some authenticated user, and then would utilize resource-level authorization to return only projects belonging to that user.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.