I have a REST service with authentication. So I can prevent clients which aren't authenticated from doing specific things.
But how to do the access control for a community-like service?
I mean, there is stuff like
you can edit your profile just your friends can download it just admins can delete your profile moderators can delete posts etc.
Which seems like different problems to me
I got something like roles: admin, moderator, user
I got something like "friends": a dynamic list of users
I can do a match on the route for every request. since it's a REST service the route defines how what gets done. So I could intercept every route and check it for permissions, which would keep the permission checking from the controllers.
But how to store it? Attaching it to every piece of information in the DB or building and maintaining a separate datastructure? if the last one, how to structure it?