Issue
I'm currently working on REST API using Spring Boot. Let's say i have product service with basic functionality in controller. There are two roles in user which are normal user and admin.
example:addProduct, getProduct, updateProduct, deleteProduct
User can only access getProduct endpoint and admin can access all endpoints.
Which one is better apporoach?
first approach:
api/v1/products/ -> do all get, post, delete, patch
second approach:
api/v1/products/admin -> get, post, delete, patch
api/v1/products -> get
Solution
I suggest using a Role-Based Access Control (RBAC) wherein each user has a role. and each role has permissions, e.g. get_post, delete_post, and so on. As your application gets bigger in scope, you can have fewer routes in this way.
Example situation: if a user posted a resource on api/v1/products, the system will check if the user has a "create_product" permission. If he has no access then your api should return 401 unauthorized
Answered By - ceci
Answer Checked By - Mildred Charles (JavaFixing Admin)