I've been studying the Tastypie API documentation for custom authorisation.
There are eight possible methods to implement to create a custom authorisation class.
read_listread_detailcreate_listcreate_detailupdate_listupdate_detaildelete_listdelete_detailI am really struggling to understand the semantics of each of these methods. How exactly do they correspond to HTTP verbs (GET, POST, PUT, PATCH, DELETE... etc.)?
Initially, I thought that the *_list methods might mean...
Give me a list of all objects that the user can [create, read, update, delete]
But the "create" case...
Give me a list of all objects that the user can create
...really doesn't make sense, since the objects have already been created. In order to make sense with my interpretation, this would have to be a list of all possible objects the user could create (which is clearly infeasible).
So what does create_list actually mean? What about create_detail and how does it differ to create_list?
Thanks for clarifying!
The question is about philosophy and concepts, and there are actually 3 questions, but let me try to answer you question briefly.
*_list methods are filters of objects user has an access to.
*_detail methods are booleans that tell us, whether we can have an access to the exact object.
Example:
read_list - filters objects, that user will see on site.com/api/v1/cool_object/
read_detail - tells us whether user is allowed to view site.com/api/v1/cool_object/2
CREATE - POST
READ - GET
UPDATE - PUT (to upload new entity) / PATCH (to send changed fields only)
DELETE - DELETE
The method was added just for the sake of uniformity and consistency. So you were right to see no practical sense in it.
We can even check it in the tastypie/authorization.py:
def create_list(self, object_list, bundle): """ Unimplemented, as Tastypie never creates entire new lists, but present for consistency & possible extension. """