Let's suppose I'm creating a sales management tool for company FooBar.
FooBar has a list of customers that are divided into four different regions. North, South, East, and West.
The sales managers for each region should be able to access the customers for their own particular region, but not other regions. There is also a national sales manager that has access to all the customers.
What is the best way to expose the customers resource? Is it appropriate to have a single access point of /api/customers that only returns the customers which that manager has access to? Is it normal for a URI to return completely different data sets depending on who is requesting?
The /api/region/customers approach seems wrong because the regions are subject to change, tje customers can move between regions, and it would require multiple requests to get the master list for the national director.
Is there a pattern name for what I'm describing? I've tried searching but I must not be using the correct names.
Since the request for
/api/customerswill be different for different users (Cookie header will be different, if you use cookies for session handling), it is perfectly fine to return different data.