Question Details

No question body available.

Tags

domain-driven-design rest api api-design

Answers (2)

April 28, 2026 Score: 3 Rep: 19,024 Quality: Medium Completeness: 50%

It is perfectly OK if users with different roles see different representations of the same resource, especially admin vs. ordinary users, which basically covers your case.

Another common case is that certain resources (for example orders in a web shop system) are accessible only to the customer (and the webshop owner) but not to other customers or unauthenticated visitors, even if they know the full resource URI.

So, if your /inventory lists active and inactive resources for the store owner, but only active items for customers, that would be perfectly reasonable. Of course, /inventory/ for an inactive item could then return a 404 status for customers (little white lie pretending that the item does not exist) and the item data for shop owners. One could argue that 403 is more suitable (item exists but you are not allowed to view it), and depending on the application that might be a better solution.

April 28, 2026 Score: 0 Rep: 86,525 Quality: Medium Completeness: 50%

Ooof I'm just going to chime in with the opposite answer. I'm not saying its completely wrong to have a single endpoint, but there are things to consider...

Try to avoid using the user role in business logic if possible and have two distinct endpoints.

  1. Show the active inventory

  2. Show all or inactive inventory

The reason this is better than having a single endpoint and examining the role to decide what to return is hard to explain. But if you go down the route of roles are part of business logic, it changes your security layer from being a "cross cutting concern" that you can cut out and handle at the endpoint access level, to an embedded parameter that might change any business logic.

If you keep the role at the endpoint access level and have two endpoints, you have much more flexibility, your business layer is completely isolated from your security layer.

  • You can have admins see only the active inventory on some pages and the full inventory on others.

  • Your tests don't have to worry about if the user is X or Y role

  • You can add new roles and give them whatever access your want