Check Permissions before Presenting the Interface
By now, the API is able to inform clients about their allowed actions on a given resource.
In the '_links' section for a GET to events with admin permissions looks like this:
< GET /events >
"_links": {
"self": {
"href": "events",
"methods": [
"POST",
"HEAD",
"OPTIONS",
"GET"
],
"title": "events"
}
In the "methods" section, the API informs the client about this allowed actions.
Similarly, a GET to the home endpoint '/' can be used to see permissions for all resources:
< GET / >
{
"_links": {
"child": [
{
"href": "studydocuments",
"methods": [
"POST",
"HEAD",
"OPTIONS",
"GET"
],
"title": "studydocuments"
},
{
"href": "users",
"methods": [
"POST",
"HEAD",
"OPTIONS",
"GET"
],
"title": "users"
}
(...)
This information can be used to determine which tools to display.