Patch Methods with Route and Authorize - webApi

Question

Patch Methods with Route and Authorize - webApi

Asked 8 years, 1 month ago

Viewed 200 times

3

I am building a project with webApi2 using Oauth.

The system has (for example) User Registration (default), with permissions to View, Edit, New, Enable, Inactive, Delete.

The standard methods of POST, GET, PUT, are OK, but to make the other features I can use a POST with routes (which only change the status of the object):

[Route("api/usuario/{id}/ativar"), Authorize(Roles = "usuario.ativar")]

public HttpResponseMessage Ativar(int id) { ... }

[Route("api/usuario/{id}/inativar"), Authorize(Roles = "usuario.inativar")]

public HttpResponseMessage Inativar(int id) { ... }

Using HttpPatch, I could not find a way to update the status of obj only in the authorized method, because I can pass to the call {Status: Inactive}, and the current user is only allowed to view, and if you pass other properties, they will also be closed (request via Angularjs).

There would be a way to use this with HttpPatch? However I need to leave enabled to the user only what the same has permission. Or in my case what would satisfy my need would just be to use POST and create specific methods with permissions and routes?

You’re using what to test the PUT? The browser or some tool?

– Leonel Sanches da Silva

2016/05/10 at 02:32
The browser itself. It’s all working. The question is how best to implement actions other than standards (PUT,POST,GET), in the case Activate/Inactivate.

– Tiago Carneiro

2016/05/10 at 12:21

2 answers

1

I have already been frustrated with this doubt as well: I need to do something specific but it does not fit the POST, GET, PUT, or even the PATCH.

My answer? Use the POST, with the appropriate routes. This, I believe, is a simple but effective way.

We can spend hours and hours discussing which HTTP verb fits the Activate, but I think at the end of the day, POST is the most appropriate.

Okay, I get it. If it were not a project depending on permissions, it could even do in a PATCH method for updating, as the user could make any changes.

– Tiago Carneiro

2016/05/10 at 17:04

Browser other questions tagged c# http-request asp.net-web-api-2

You are not signed in. Login or sign up in order to post.

by Leonel Sanches da Silva • **88,623** points · Answer 1 · 2016-05-10T16:43:19+00:00

This is not the right way to test. HTML browsers do not support PUT nor DELETE.

Use a more suitable tool for your tests, reimplently [HttpPut] and repeat the test. PATCH would be best suited to your case, since PUT has the objective of replace the whole object if it does not exist, semantically speaking.