Answer the question
In order to leave comments, you need to log in
N
N
nepster-web2017-02-22 20:09:28
nepster-web, 2017-02-22 20:09:28
How to differentiate access rights in the API?
I'm thinking about the API, a question arose with access control.
Suppose we have a content module (statistical pages, news, posts, notes, etc.). On the example of news, the following can happen:
- Users can view and create news
- Administrators can view and create news
However, there is one sick BUT:
- users can view and create news not without manipulating certain fields (creation date, edit date, author, category , moderation, etc.)
- the administrator has much more rights and can do everything related to this.
If we take the REST methodology and assume the following URLs:
- /contents/records
- /contents/records/17
In this vein, it will take a lot of logic to understand who is trying to manipulate what fields.
Using another approach, you can delimit the whole thing as follows:
- /contents/records
- /contents/records/17
- /control/contents/records
- /control/contents/records/17
How to deal with a similar task?
3 answer(s)
@xfg
@SimBioT19
@AXP-dev
X
xfg, 2017-02-23 @xfg
Make backend and frontend controllers. Through the backend controller, you can change all the fields, not all through the frontend controller. Make Users and Administrators using RBAC. Users can call frontend controllers and cannot call backend controllers.
S
SimBioT19, 2017-02-22 @SimBioT19
It will be useful:
https://habrahabr.ru/company/dataart/blog/262817/
A
Alexander Pushkarev, 2017-02-22 @AXP-dev
Use access keys. Create a separate table KEY | ROLEand then check the key for access when querying. Pass GET as parameter or in request header
Example -
/contents/records?key=3c6e0b8a9c15224a8228b9a98ca1531d
Similar questions
A
D
S
Sergey2015-05-13 21:19:17
How and how to split a webm file into several working parts in linux?
2Reply
I
K
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question