Question:
I'm building a project with webApi2 using OAuth.
The system has (for example) User registration (default), with View, Edit, New, Activate, Inactivate, Delete permissions.
The standard POST , GET , PUT methods are OK, but to do the other functionalities I can use a POST with routes (which only change the object's status):
[Route("api/usuario/{id}/ativar"), Authorize(Roles = "usuario.ativar")]
public HttpResponseMessage Ativar(int id) { ... }
[Route("api/usuario/{id}/inativar"), Authorize(Roles = "usuario.inativar")]
public HttpResponseMessage Inativar(int id) { ... }
Using HttpPatch , I couldn't find a way to update the obj status only in the authorized method, because I can switch to the {Status: Inactive} call, as the current user only has permission to view, and if I pass other properties, they will also be updated (request via AngularJS).
HttpPatch there be a way to use this with HttpPatch ? But I need to leave enabled the user only what he has permission. Or in my case, what would supply my need would be just to use POST and create specific methods with permissions and routes?
Answer:
I've been frustrated with this question as well: I need to do something specific but POST , GET , PUT , or even PATCH .
My answer? Use POST , with the appropriate routes. This, I believe, is a simple but effective way.
We can spend hours and hours arguing which HTTP verb to Enable , but I think at the end of the day, POST is more appropriate.