I create an API to access users and objects owned by those users. Objects can be accessed anonymously, by the author, or by some kind of moderator/superviser.
In all three cases a set of fields can be different (or can be the same – it is not known yet); at least it is different for anonymous vs identified-authorized modes.
Lets assume we have a user 456 and this user owns an object 123.
The primary question is:
What’s the best URI schema for this case and what are the pros and cons of each:
The secondary question is:
Are these resources the same or are they different resources for the same entity?
-
One single URI for all objects, with output varying depending on absence or presence of identity:
/objects.json?criteria=xyz&user=456 -- result depends on identity & "user" /objects/123.json -- result depends on identity /users/456.json
-
Different URIs for anonymous and identified access, as if they were different resources:
/objects.json?criteria=xyz -- anonymous only /objects/123.json -- anonymous only /users/456.json /users/456/objects.json -- identified only /users/456/objects/123.json -- identified only
-
Something else?
UPD: Just invented:
/objects/123 -- basic info, same for anonymous&identified
/objects/123/extra -- different kinds of extra info,
/objects/123/extended -- ... or extended representations,
/objects/123/meta -- ... only for authorized roles for each.
/objects?criteria=xyz -- common search for objects
/users/456/objects -- objects owned by user only
And there are URIs of extra resources in the public and per-user lists (lists are entrypoints), depending on what list is used.
With this approach, we have URIs pointing to the resources, that do not vary depending on identity of the requesting user. But we still have control on what parts of information we give or don’t give to the requesting user. And URIs are not duplicated in any mean or way. Perfect!
Assuming the question is answered in the UPD above. This pseudo-answer is to close the question.