python - RESTfully routing an API based on user roles -

-

i developing api using flask-restful, , application has 3 roles.

  1. site_admin
  2. department_admin
  3. basic

for given resource, json object returned has different set of keys based on each role.

for example, if hit /orders "site_admin", result this:

{   "orders": [     {"id": 1, "user": "foo", "paid": true,  "department": "a", "code": 456},     {"id": 2, "user": "bar", "paid": false, "department": "a", "code": 567},     {"id": 3, "user": "meh", "paid": false, "department": "b", "code": 678}   ] }

however, if hit /orders "department_admin", result this:

{   "orders": [     {"id": 3, "user": "meh", "paid": false}   ] }

and if hit /orders "basic" minimal json response this:

{   "orders": [     {"id": 2, "paid": true}   ] }

what restful way of implementing this?

i can come 3 ways of doing it.

(1) using request arg , filtering on that:

class orders(restful.resource):   def get(self):     if request.args['role'] == 'site_admin':       return admin_json_response()     elif request.args['role'] == 'department_admin':       return dept_admin_json_response()     else:       return basic_json_response()  api.add_resource(orders, '/orders')

(2) filtering on session object:

class orders(restful.resource):   def get(self):     if session['role'] == 'site_admin':       return admin_json_response()     elif session['role'] == 'department_admin':       return dept_admin_json_response()     else:       return basic_json_response()  api.add_resource(orders, '/orders')

(3) having different route each role:

class orderssiteadmin(restful.resource):   def get(self):     return admin_json_response() api.add_resource(orderssiteadmin, '/orders_site_admin')  class ordersdeptadmin(restful.resource):   def get(self):     return dept_admin_json_response() api.add_resource(ordersdeptadmin, '/orders_dept_admin')  class ordersbasic(restful.resource):   def get(self):       return basic_json_response() api.add_resource(ordersbasic, '/orders_basic')

... there consensus on preferred way restfully?

thanks much!

your option #2 violates the "stateless" constraint, use of user sessions not idea in rest api, , instead should require clients provide authentication every request.

let's assume fix #2 , instead of user session have current_user variable, populated during authentication. rewrite example follows:

class orders(restful.resource):   def get(self):     if current_user.role == 'site_admin':       return admin_json_response()     elif current_user.role == 'department_admin':       return dept_admin_json_response()     else:       return basic_json_response()  api.add_resource(orders, '/orders')

let's @ 3 options 1 one:

  • (1) specifies role in query string, enable user request representation, passing desired role. why put role in query string? assume authenticate users, knowing user know role. seems unnecessary , give validation effort.

  • (3) creates different resources each role. once again, have ensure "basic" user not have access 2 urls apply higher roles, have validation work here.

  • (2) assumes user database stores role of each user, once user authenticated correct representation his/her role returned based on assigned role. is, think, best option, users have no way hack way data not allowed see.

speaking of being restful, @ representations, can improved. consider implementing links other resources instead of providing ids, comply hateoas constraint.


Comments

Post a Comment

Popular posts from this blog

c++ - OpenMP unpredictable overhead -

-
i have simple openmp code runs 4 empty threads , reports time: #include "omp.h" #include <sys/time.h> #include <cstdio> double start_time; void process_thread() { } int main(){ struct timeval tv; gettimeofday(&tv, null); start_time = 1000*((double)tv.tv_sec + 1e-6*(double)tv.tv_usec); printf("beginning time: %.3fms ",start_time-start_time); #pragma omp parallel schedule(static,1) for(int i=0;i<4;i++) process_thread(); gettimeofday(&tv, null); double cur_time = 1000*((double)tv.tv_sec + 1e-6*(double)tv.tv_usec); printf("finishing time: %.3fms\n\n",cur_time-start_time); } without openmp running time small , consistent: beginning time: 0.000ms finishing time: 0.050ms beginning time: 0.000ms finishing time: 0.050ms beginning time: 0.000ms finishing time: 0.049ms beginning time: 0.000ms finishing time: 0.049ms beginning time: 0.000ms finishing time: 0.050ms beginnin...
Read more

ruby on rails - RuntimeError: Circular dependency detected while autoloading constant - ActiveAdmin.register Role -

-
i using activeadmin , have file doing this: activeadmin.register role something--- end however, server gives me error: runtimeerror: circular dependency detected while autoloading constant role /library/ruby/gems/2.0.0/gems/activesupport-4.0.10/lib/active_support/dependencies.rb:461:in `load_missing_constant' /library/ruby/gems/2.0.0/gems/activesupport-4.0.10/lib/active_support/dependencies.rb:184:in `const_missing' ~/desktop/boxfox/app/admin/role.rb:1:in `<top (required)>' /library/ruby/gems/2.0.0/gems/activesupport-4.0.10/lib/active_support/dependencies.rb:424:in `load' /library/ruby/gems/2.0.0/gems/activesupport-4.0.10/lib/active_support/dependencies.rb:424:in `block in load_file' /library/ruby/gems/2.0.0/gems/activesupport-4.0.10/lib/active_support/dependencies.rb:616:in `new_constants_in' /library/ruby/gems/2.0.0/gems/activesupport-4.0.10/lib/active_support/dependencies.rb:423:in `load_file' /library/ruby/gems/2.0.0/gems/activesuppor...
Read more

javascript - Wordpress slider, not displayed 100% width -

-
so im making first wordpress theme scratch going fine got problem. want slider on homepage 1 thing wrong. im setting width of image 100% !important doesnt go 100% width. makes image wider not 100%. example here: http://bit.ly/11ouebg see image doesnt contain whole width. can see background-color. really weird, im using meteor slides. i hope can me out :d
Read more