Please let us to decide if an entity it is dereferencable or not, don't fore us to do this.

[videni]

I have created some related issues at api-platform/api-platform repo, but there are fewer people watching that repo, I created here. this issue is very important, I hope to raise our community notice.

Why I think it is a issue?

when an entity is used for admin user, it is dereferencable, but when it is used for customer, it might not. api-platform gives me lots of troubles because of this design.

Case 1: dereferencable for admin, not for customer.

for example , a Order entity has a property car, the car property is also an entity. when car entity is used for admin, it is dereferencable, but it is not for customer. the car entity is only showed when customer views order details, it is not necessary to add an item operation to car for customer.

Case 2: change get item operation

let's assume the Order entity has another property payment, payment is dereferencable for admin and customer, which means, for admin, the get item operation path is /api/admin/payment/{id} , for customer, it is /api/shop/payment/{id}, then when we try to serialize the Order for customer, how can we choose the get item operation for customer , not the admin one?

Related issues

How to disable a single itemOperation
don't force use to specify item route for an entity

[dunglas]

Case 1 looks okish to me, even if having dereferencable IRIs is considered a RDF/semweb best practice: http://w3c.github.io/web-annotation/model/wd2/#terminology
Case 2 however, isn't RESTful. A same resource should have only one canonical IRI. Having two URLs for the same resource looks like a bad REST design. Can't you just change the representation of the resource regarding the Auhtorization header for instance?

API Platform must be extensible, however it must not encourage bad practices. Let's see if we can add something clean enough.

[trsteel88]

@dunglas wouldn't it be bad to display a different view depending on the user role? Wouldn't that mean the resource isn't cacheable because there are multiple views for the 1 resource link?

I still haven't worked out caching for when Authorisation is involved in the API Platform. Is it even possible to cache?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.