-
Notifications
You must be signed in to change notification settings - Fork 486
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Native API: set using PUT instead of toggle using POST #2219
Comments
Well, I still believe this is a design flaw. (And I still see notifications from issues that I was involved with :)) |
I think this should be re-opened. I have similar issues. There is not a deterministic way to set, for example, the superuser property on an authenticated user. You have to first determine the value before deciding whether or not to toggle it. |
@tdilauro I'm happy to re-open this issue but and I see now that "set" is in the title. You want to be able to pass true or false so the operation is deterministic. Makes sense. I guess we'd keep the old toggle version for backward compatibility though. Do you have a strong opinion about PUT vs. POST for this issue? I don't. |
@pdurbin I think set is alright. You would be setting to either true or false. The operation should be PUT based on RFC 2616 Section 9.6 (PUT) v. Section 9.5 (POST). To make it RESTful, I would think the resource (URL) would be better structured as |
I agree with @tdilauro regarding the PUT vs GET. As for the proposed URL, it's technically correct, but managing superusers is very much an admin task, and so it has to go under
Also, note that this issue talks about a change in the API (that we have to support until at least 5.0) so it needs to be approved by project management before implementation. |
@michbarsinai assume you meant PUT v. POST above. |
@michbarsinai I don't see what you propose above as RESTful, as it is less resource-centric and more function-/implementation-based. For example, you mention that managing superusers is an admin task, so it needs to be under /api/admin (I am assuming that there is a security implementation detail bundled up in this). To my mind, it is important to look at this from a resource perspective for a variety of reasons:
It's relatively easy for me to think of superusers as a global group/collection (as you suggest above), though I would want URIs that look like more like resources and less like functions, e.g.:
But it's even easier for me to think of superuser (no 's') or, even better, isSuperuser as a property of a user (agent). There are a lot of different ways to handle the properties; I'm just trying to illustrate my point here.
|
IMHO it basically boils down to whether super users are a property of the users or of the system. Both views are fine, and are not really in contradiction (ideally we'd have both). However, the "property of the system" view is in line with the guideline of having all admin api endpoints under |
@tdilauro of at " Toggle Superuser status on/off" in #3612 we're building a GUI that includes the ability to make someone a superuser. The latest screenshot is at #3614 (comment) . I hope this helps and I'm closing this issue but please open a fresh one if there's anything you need. Thanks! |
In the Native API, a user can be made superuser by toggling her/his status using a POST command:
This is not like any other setting and requires to keep state outside the system.
Somewhat similarly, authentication providers are enabled/disabled by
POST
ing a status, instead ofPUT
ting it:These settings should, like all the others, be updated with
PUT
.The text was updated successfully, but these errors were encountered: