I'm not sure how this fits into the overflow stack moderation recommendations, but at the time of writing I did not write Can the URL be considered the only key for an HTTP response? mean this particular case and therefore decided to continue it.
An old story: let's say someone has a website where users should receive private resources for authoring, these are images, sounds, etc. The problem of URLs for them is now considered resolved in the "first part" of the question. What to do if users should receive an index of their assets (i.e., list them for display as a gallery), and although the assets are strictly confidential, site administrators should also have access to them, to provide support, etc. I initially thought of the following URL for such an index:
http://mydomain/user/assets/index
which would really work if the client received authentication and user authorization in the cookie. The server will be able to deduce which index of user assets to receive. The problem arises when the site administrator needs to get some index of user assets, this is where the above URL is absolutely insufficient for such an index identification. The site administrator user agent sends authentication and authorization to the site administrator himself, in fact, he does not determine the user to get the asset index. Is this the best solution to identify the user by URL, for example below?
http://mydomain/user/<user_id>/assets/index
Thank you for your time.
source
share