|
|
|
|
|
|
by samjs
1578 days ago
|
|
|
This is definitely a consideration for authorization. To do it well you need to be able to distinguish when you want to reveal information. For example, our APIs push people towards returning a 404 if the user doesn't have read access (you shouldn't even know it exists!), but a 403 if you can read but not edit. You would probably want to do similar here -- only return a reason if the user is allowed to know it exists, but they don't have access. (e.g. it might be "read_exist" vs "read_details" -> "you cannot read the details of this document because you are not a member of this folder".) |
|
|