We currently use the session to keep track of which client
is being worked on, but think our new rest interface should
be stateless.
Should I be redesigning our existing stuff to include client_id
in URLs where necessary?
Or even go a bit further, and include client_id in every resource,
even when not necessary, to keep erroneous implementations
from messing with the wrong tenant…? (We do have an auth layer,
but accounts will have access to multiple tenants.)
Not very elegant code sample:
GET /customers
GET /customers.xml
def index
client_id = nil
respond_to do |format|
format.html { client_id = current_client.id }
format.xml { client_id = params[:client_id] }
end
@customers = Customer.find(:all, :include => [:account],
:conditions => [“client_id = ?”, client_id])
respond_to do |format|
format.html # index.rhtml
format.xml { render :xml => @customers.to_xml(:include =>
[:account]) }
end
end
Thanks,
Isak