29Nis
How to restrict file access in a REST API with RBAC
I am building a REST API. In this API users can upload files in different ways such as sending tickets to a help desk with attachments, sending files via private messages, and etc. Obviously some files are private and some are public. private files can be accessed by the owner, can be shared between multiple users or can be accessed by user's roles. I am storing file paths on DB and the actual files on the filesystem. I thought of an access control list that holds references to files, users and roles alongside roles and permissions, but I don't think it is the right choice.
Please leave a comment when you downvote. Apparently my mind wired differently and I am prone to downvotes.
