授予访问端点的权限是一种好习惯吗?
例如
POST /permissions {method: "GET", resource: {href: "/users/*"}}
-> 201 {href: "/permissions/12345", id: 12345}
POST /roles/123/rolePermissions {permission: {id: 12345}}
在此之后检查给定模式的权限......
例如,如果我想授予朋友编辑我的一篇文章的权限,我可以执行以下操作:
GET /users/13/userPermissions
-> 200 {items: [{id: 99, shares: [], permission: {id: 1234, method: "PUT", resource: {href: "/article/1"}}}, ...]}
客户端用我的自定义权限打印了一张精美的表格,现在我可以选择权限 1234,并与我的朋友分享:
POST /userPermissions/99/shares {user: {id: 15}}
-> 201 {id: 111111}
-> new permission to "DELETE /userPermissions/99/shares/111111" is created and given to me (13)
-> permission to "PUT /article/1" given to my friend (15)
之后我也可以删除它
DELETE /userPermissions/99/shares/11111
-> permission to "PUT /article/1" revoked from my friend (15)
-> permission to "DELETE /userPermissions/99/shares/111111" revoked from me (13) and deleted
如果这种方法不能存储和检查权限,那么最佳实践是什么?