I'm working on a REST API and I cannot find any response to my question. Here is my problem :
On my application, I have severals user roles "Admin" and "User". Both can PUT / PATCH an entity "Agency", but they cannot modify same fields :
Admin can modify all fields
User can modify only "name" and "adress" fields
So my colleagues and I don't know how to choose between two options :
Create two endpoints PATCH /api/agency/{id} and PATCH /api/agency/{id}/restricted : first only allowed to admin, second for both but only update "name" and "adress" ? => this is simpler but it creates a new route to the world
Only one enpoint, that return a 403 response if a User try to update unauthorized field ? => this can be complex in the future if permissions rules become more complex, but only one endpoint is exposed...
Thanks a lot for your response, and pardon my english !
The second option is the REST way to do it. The URI shouldn't be indicating permissions/authorisation required to call it. If you want to indicate the allowed API calls then the correct mechanism is HATEOAS, which is a fundamental principle of REST.
I'm not sure I understand your argument that it can become complex in the future. I think the first option offers much more opportunity for increasing complexity. What if new roles come along in the future? What if the permissions become more granulated? In the first option your URI will change.