1

授予访问端点的权限是一种好习惯吗?

例如

POST /permissions {method: "GET", resource: {href: "/users/*"}}
-> 201 {href: "/permissions/12345", id: 12345}

POST /roles/123/rolePermissions {permission: {id: 12345}}

在此之后检查给定模式的权限......

例如,如果我想授予朋友编辑我的一篇文章的权限,我可以执行以下操作:

GET /users/13/userPermissions
-> 200 {items: [{id: 99, shares: [], permission: {id: 1234, method: "PUT", resource: {href: "/article/1"}}}, ...]}

客户端用我的自定义权限打印了一张精美的表格,现在我可以选择权限 1234,并与我的朋友分享:

POST /userPermissions/99/shares {user: {id: 15}}
-> 201 {id: 111111}
-> new permission to "DELETE /userPermissions/99/shares/111111" is created and given to me (13)
-> permission to "PUT /article/1" given to my friend (15)

之后我也可以删除它

DELETE /userPermissions/99/shares/11111
-> permission to "PUT /article/1" revoked from my friend (15)
-> permission to "DELETE /userPermissions/99/shares/111111" revoked from me (13) and deleted

如果这种方法不能存储和检查权限,那么最佳实践是什么?

4

1 回答 1

2

不它不是。REST 只是一种交付方式。你可以有其他的交付方式,比如 SOAP、纯 HTML web 应用程序、flash、java 等等……所以授权逻辑必须独立于它们,它应该是业务逻辑的一部分,或者它应该在业务逻辑和交付。

于 2013-09-05T15:21:31.157 回答