我有一个典型的用户管理模块,我想为其创建REST API。用户应该能够访问他/她的详细信息,但不应该被允许访问其他用户详细信息。作为管理员用户应该能够获取任何用户或删除任何用户。
这就是我打算如何创建URL端点,任何建议?
# To create/register user
POST /api/users/
# or
POST /api/register/
# To get all users
# This will be allowed to access only by admins.
GET /api/users/
# To get current user.
# For admin, allowed
# For regular user, id will be validated against userid stored in the session.
GET /api/users/<id>/
# To update current user.
# This id will be validated against userid stored in the session.
PUT /api/users/<id>/
# To delete current user.
# For admin, allowed
# This id will be validated against userid stored in the session.
DELETE /api/users/<id>/
# Login
POST /api/login/
# Logout
GET /api/logout/
谢谢
答案 0 :(得分:4)
我认为您的端点方案非常好..唯一的情况是上下文将是传入的用户(来自url路径)而不是当前的用户。
# To create
POST /api/users
# To get all users
GET /api/users
# To get particular user.
GET /api/users/<id>
# To update particular user.
PUT /api/users/<id>
# To delete particular user
DELETE /api/users/<id>
答案 1 :(得分:3)
一般建议是使您的REST API无状态 - 即,如果不是在api会话中保留userId,则调用者在api请求中发送标识(带有auth标头)。然后,api将从头部检索用户,在执行任何核心操作之前检查该用户是否具有足够的权限(可以使用某种拦截器)。
查看此内容以获取更多详情 - https://stackoverflow.com/a/20311981/1384048