restful url - REST API - filters, child entities or is leaking information really so bad? -


the basic problem

i have rest api. sake of example, let's have users, can members in number of groups, , both users , groups can own objects.

any user can filter objects various criteria:

/objects?color=green  /objects?created=yesterday

but members of given group can filter group ownership:

/objects?groupid=1

and actual user can filter user ownership:

/objects?userid=55

there 2 basic patterns - 1 make object child entity of group, such as:

/groups/4/objects/1

with 4 being group id , 1 being object id. other option having group , objects side-by-side:

/groups/4

and

/objects/1

making object child of group and/or user eliminate other filtering options - essentially, have 1 object multiple paths it.

the actual question

if want limit access regular user he/she can access objects directly owned him/her or groups he/she member of, work filter on collection - entity level?

if try:

/objects/9

but object owned group not member of, expect authorization error, while if object doesn't exist @ all, expect "not found" - this, however, leak information book's existence, , have retrieve object in order able determine whether or not user has right see it.

so came this:

/objects/9?groupid=4

or

/objects/9?userid=55

in this, can base initial decision on authorization on group id or user id, , try retrieve object additional restriction.

if user not member of group 4, can not authorized, , if book doesn't exist, can not found, meaning not object doesn't exist, object doesn't exist in group 4. answer more clear, , not have retrieve object first.

the alternative return authorization error regardless of whether due fact not authorized or due fact object doesn't exist. answer imprecise, put less of burden on caller.

another possibility map multiple paths:

/objects /groups/4/objects /users/9/objects /colors/green/objects

this seems rather messy , violate principle of having single path single concept.

does have practical insight on this? reasons (apart ones mentioned) why 1 or other preferable?

if understand correct, every object linked (at least) 1 group or (at least) 1 user, don't have problem of having object without group or user.

if case don't see point in using filters not make sense in rest way , not give benefit client site.

so suggested use following:

/groups/$groupid/objects/$objectid

and 

/user/$userid/objects/$objectid

now server should check if client authorized ("the user member of group" / "the current user") given $groupid xor $userid

  • if not authorized: not check if object there. give not authorized error.
  • if authorized: give standard response codes

i don't see benefit non authorized client information if resource available or not not important him, because cant access either way. , suggested result in information leak which result in security problem (but depending on api , information , usage).


now lets go through scenarios group calls:

user arnold (member of groups: 1,2,3) wants access existing object 7 of member group 3.

get /groups/3/objects/7

response: #200

user arnold (member of groups: 1,2,3) wants access non existing object 55 of member group 2.

get /groups/2/objects/55

response: #404

user arnold (member of groups: 1,2,3) wants access existing object 11 of non member group 5.

get /groups/5/objects/11

response: #401

user arnold (member of groups: 1,2,3) wants access non existing object 19 of non member group 5.

get /groups/5/objects/19

response: #401



and user objects:

user arnold wants access non existing object 56.

get /user/arnold/objects/56

response: #404

user arnold wants access existing object 13.

get /user/arnold/objects/13

response: #200

user arnold wants access jon's existing object 77.

get /user/jon/objects/77

response: #401

user arnold wants access jon's non existing object 88.

get /user/jon/objects/88

response: #401

as can see server responds #401 if client non authorzied. additional great give error message in body e.g. sorry, not authorized see content of user "jon" or sorry, not authorized see content of group "abyzx", client knows problem is.

this seems rather messy , violate principle of having single path single concept.

i don't see way different sources (1) (3) , so answers no problem have multiple paths or uris.

each resource in service suite have at least 1 uri identifying it.

it clients understand authorization process , them navigate through api.


-

Popular posts from this blog

c# - ODP.NET Oracle.ManagedDataAccess causes ORA-12537 network session end of file -

overview i want replace oracle.dataaccess orcale. managed dataaccess, opening connection latter throws ora-12537 network session end of file exception. exception message / stack trace {oracleinternal.network.networkexception (0x000030f9): ora-12537 : netzwerksession: dateiende @ oracleinternal.network.readerstream.read(orabuf ob) @ oracleinternal.ttc.orabufreader.getdatafromnetwork() @ oracleinternal.ttc.orabufreader.read(boolean bignoredata) @ oracleinternal.ttc.marshallingengine.unmarshalub1(boolean bignoredata) @ oracleinternal.ttc.ttcprotocolnegotiation.readresponse()} i trying connect oracle 11g database , not have client installed on local machine. working test application (unmanaged) using oracle.dataaccess works fine . using system; using oracle.dataaccess.client; namespace app.odp.unmanaged { internal class program { private static void main(string[] args) { //dummy connection string
Read more

matlab - Compression and Decompression of ECG Signal using HUFFMAN ALGORITHM -

i want compress , decompress ecg signal stored text message text file , find out file size, cr,prd ratio,and qs. here code compression , decompression of ecg signal using huffman algorithm. i'm trying find out file size, compression ratio,prd ratio,qs. but error i'm getting the ecg file in text format. %clearing variables , screen enter code here clear all; close all; clc; [file1]=uigetfile('*.txt'); %fprintf('enter ecg file name :%s',file1); p=file1; t=sprintf('%s',p); b1=dlmread([file1]); len=length(b1); lead=input('enter lead number :'); %lead=str2double(lead); col2=b1(1:end,lead); e=fix(sqrt(len)); m=1; i=1:e j=1:e g2(i,j)=fix(col2(m)*1000); %amplifying 1000 m=m+1; end end g3=g2; i=1:e j=1:e
Read more

utf 8 - split utf-8 string into bytes in python -

i trying split utf-8 string bytes in python 3. problem is, when use bytearray, byte, encode etc functions array size of element 14 bytes, not 1 byte expected. need split text file sequence of bytes , send them byte after byte using sockets. tried this: infile = open (file, "r") str = infile.read() byte_str = bytes(str, 'utf-8') print("size of byte_str",sys.getsizeof(byte_str[0])) print gives me 14, need 1... suggestion? quoting official documentation : sys.getsizeof(object[, default]) return size of object in bytes. object can type of object. built-in objects return correct results, not have hold true third-party extensions implementation specific. only memory consumption directly attributed object accounted for, not memory consumption of objects refers to. if given, default returned if object not provide means retrieve size. otherwise typeerror raised. getsizeof() calls object’s __sizeof__ method , adds
Read more