[Catalyst] Fine-grained access control with REST

[Bill Moseley]

In our aging Music application where we have the familiar hierarchy Label ->
CD -> Track -> Note.  We also have an extra table for access control that
joins CDs with a User: cd_user.  The action "PUT /note/*" is allowed if the
Note object can be joined to the current user via the cd_user table.

Now we want to extend this to have fine-grained access control.  So, we
might have roles "owner" with full read/write access, "reader" with only
read access, and "editor" with read/write access but can only update a
subset of a Note's columns compared to the "owner".

Essentially, the "owner" and "editor" can both PUT a Note object but the
action would use different forms to validate the request and update the
database.

So, my question is what makes for a good URL scheme?  One option is to use
"PUT /note/123" and before updating determine the type of access and select
that correct form object.  So, both editors and and owners PUT to the same
URL but supplying different columns to update.

Another option is separate URLs such as "PUT /owner/note/123" and "PUT
/editor/note/123" making it very explicit.

What's your opinion about these options?  Is there a better approach?


I suppose it's not always a boolean access question:  a given user might
have multiple roles and may wish to pick which role to act as using
different URLs.


-- =

Bill Moseley
moseley at hank.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20110412/80893=
519/attachment.htm