On many entities, some users have rights to request for their entities or any entities. Users can make multiple Dashboards. Normal users should only query for their own dashboards while admin should be able to see any dashboards.
What is the best uri convention to use with OData in this situation ? I thought about something like http://example.com/odata/Dashboards that will give only owned dashboards and http://example.com/odata/Dashboards/Any that will give access to any dashboard entities, but I'm really not sure it's the way to go.
Nobody seems to explain in tutorials how to deal with complex authorize and not only about having access to anything or nothing.
What you guys have to suggest about that? If you have some tutorials that explain complex case when it comes to authorization, I'm really interested.
Thank you!
What about use http://example.com/odata/Users(1)/Default.Dashboards() and in Users Controller's Dashboards function, return related Dashboards.
builder.EntityType<User>().Function("Dashboards").ReturnsCollectionFromEntitySet<Dashboard>("Dashboards");
[HttpGet]
[ODataRoute("Users({key})/Default.Dashboards()")]
public IQueryable<Dashboard> Dashboards(int key)
{
// determine the user's rights
return _db.Dashboard.Where ...
}