I have an API that makes frequent use of links for many kinds of operations (e.g. confirm an order). When these links are not available, that means the operation is not allowed.
However, I see no parallel to “link missing = operation unavailable” when it comes to PATCH and DELETE. According to the JSON-API spec, these requests are sent to the resource’s
self link. But the
self link in general allows GET, PATCH and DELETE, so I can’t remove the link if e.g. deletion is not allowed.
A way that seems consistent with other link operations and with hypermedia is to add separate links called
delete that are identical to the
self link, but which can be removed from the response when the respective operations are not allowed. However, this seems to run counter to the JSON-API spec, which says that GET and PATCH should be sent to the
What I am currently doing is simply having property attributes called something like
canPatch. But then I am special-casing these two operations among all my other links. This would also be the case if adding e.g. a
meta.verbs list to the
self link. So it feels like no more than the lesser of the two evils, so to speak.
How are other people communicating whether PATCH and DELETE is allowed?