tags:

views:

90

answers:

4
+2  Q: 

Which HTTP Method to use in these RESTFUL use-cases?

Hopefully someone can help me out on this one.

Consider the following use-cases:

  1. Add a Role to a User
  2. Remove/Revoking a Role from a User

The interface into the system is RESTFUL.

When adding a role the following URL is used:

PUT /user/{userId}/role/{roleId}

When removing/revoking a role from a user the following URL is used:

DELETE /user/{userId}/role/{roleId}

My gut feeling is that both these RESTFUL calls should be a PUT and the URLs should be amended too:

PUT /user/{userId}/register/role/{roleId}
PUT /user/{userId}/revoke/role/{roleId}

Thoughts?

Thanks & Regards

A: 

My own take is that DELETE is usually preferable from a RESTful point of view. You would use PUT if you work through a transaction log -- you don't just remove some permission, you add a transaction removing the permission to your transaction log, which also means each time you do you'll get an unique ID representing that action.

Daniel  2009-07-15 08:56:26
Thanks for your response. The resource User has an ID as does Role, but the relationship doesn't resulting in no unique resource ID which is why I thought PUT more appropriate.
JamesC  2009-07-15 09:04:56
+2  A: 

Creating should be done using a POST, and so creating a new role for a user should be a POST rather than a PUT, I would say. It depends if you consider adding a role to be the creation of a role (in which case it's a POST), or the modification of a user (then it's a PUT). The way you've phrased the URL suggests the former to me, so I'd go with POST.

The same argument applies to the revocation of the role. Is that a modification of a user, or the deletion of a role? If the former, then I'd say PUT, if the latter, then DELETE.

skaffman  2009-07-15 09:00:04
Thanks for your response. I see it as a modification of a user myself, because the role already exists. The only creation is the relationship....interesting
JamesC  2009-07-15 09:05:57
This is why I'm less than convinced about REST. It looks all fine and dandy until you try and phrase the operations, then it gets all woolly.
skaffman  2009-07-15 09:13:02
It it just as valid to use a PUT to create a resource. The only condition is that you need to know the roleId in advance.
Darrel Miller  2009-07-15 13:09:51
A: 

The first solution you presented is restful as you are using the Http verbs consistently. The second solution is not consistent because you are using a PUT to remove something.

If you were to create a resource to represent the transaction of registering and revoking then you could do the following:

POST /registrations

POST /revokations

Now, in the revoke case, it is more clear that you are creating a resource (a revoke transaction) that has a side effect of removing the role from the user. The downside is that now you need a POST body that contains the user and the role that is being affected by the transaction.

Your first solution is definitely the best in my opinion.

Darrel Miller  2009-07-15 13:17:56
A: 

I'd suggest to go with DELETE for the second option. As long as you are locating a resource uniquely, you should try to treat the operation as being done on that resource. So in your case, the URL you are acting on is of Role's. So you DELETE the role from under the user. That is how I see it and it makes easy to read - METHOD on RESOURCE.

And also, if you do PUT, usually you replace the RESOURCE, which means you send the whole resource to the server.

Charles Prakash Dasari  2009-07-15 13:24:00

related questions

Mocking WebResponse's from a WebRequest
What's the best way to learn server RESTful code?
JAX-RS Frameworks
SOAP or REST
Are REST request headers encrypted by SSL?
REST in Java
REST type API for non web based applications, Is It a good idea?
Getting started with REST
Plain text passwords in Ruby on Rails using Restful_Authentication
Where WCF and ADO.Net Data services stand?
REST how to handle query parameters when put to resource?
Any way to handle Put and Delete verbs in ASP.Net MVC?
How do you implement resource "edit" forms in a RESTful way?
Friendly URLs for ASP.NET
Possible to create REST web service with ASP.NET 2.0
Strange Rails Authentication Issue
How to respond to an alternate URI in a RESTful web service
Guide to choosing between REST vs SOAP services?
guid REST URL for ado.net dataservice call?
RESTful web services and HTTP verbs
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Best Practices for securing a REST API / web service
Document or RPC based web services
Modify Address Bar URL in AJAX App to Match Current State