...
Consistent with what we’ve done and thus the least code churn;
Possibly easier for external users to understand;
Possibly easier to secure down the road with Spring Security (using URL-based security rather than method-based security);
Cons
Honestly I was going to say “more code” but after looking at the other options, it might still be the best way to proceedtrying to eliminate keywords like “self” that make more endpoints…that’s more to add to the SDK, more to test, more to document, etc. Putting all the security within the system is easier;
Some security checks might get tedious. You might still want a DSL class for this. The delete user is a good example:
Code Block language java boolean orgAdminDelete = context.isInRole(ORG_ADMIN) && !account.getRoles().isEmpty() && context.getCallerOrgMembership().equals(account.getOrgMembership()); boolean testDelete = AuthUtils.isSelfResearcherOrAdmin(context.getCallerUserId()) && account.getDataGroups().contains(TEST_USER_GROUP); boolean adminDelete = context.isInRole(ADMIN); if (!orgAdminDelete && !testDelete && !adminDelete) { throw new UnauthorizedException(); }