Appropriate way to convey item mutation permissions (ALLOW not appropriate)


#1

The general guidance to determine if the authenticated user has permissions to mutate a collection appears to be to return the Allow header with the allowed methods, e.g. Allow: GET, POST, DELETE

We have a finer grained authorization model, and the authenticated user may have different permissions for each item in the collection. For example, a user may only be able to update content they have created, or we may be aggregating content from multiple backends, and only items retrieved from one of those backends might support update (or delete).

We’re looking at providing hypermedia links to provide this information. Has anyone done this with json:api?

Is there a best practice for the rel types to use? The IANA list of link relations only really covers edit.