Allow only certain fields with PUT in a REST API (Spring)

advertisements

I have a REST API with the following endpoint: /item.

Users can POST to the endpoint with the following data (example):

POST /item:
{
    "title": "This is a title",
    "category": "fake-category",
    "youtube_url": "http://www.youtube.com/fakeID"
}

After the item is created, they can send a PUT request to update the item, but they are only allowed to change the title and the category, not the youtube_url.

I'm currently using Spring. However I'm not sure what is best practice for this situation.


If you are the creator and designer of this API, you can do whatever you want and document it.

Some options:

  1. Simply ignore the immutable fields quietly, while updating the rest of the fields in backend.
  2. Compare all of the received fields with existing ones, return HTTP code 400 if some of the immutable fields are modified.
  3. Use a totally different PUT request structure, that is - don't accept requests that contain non-deserializable fields. For example, in first case use NewItemRequestDTO with 3 fields in it, and in second one use UpdateItemRequestDTO with only 2 fields and delegate the validation to JSON mapping library that you use.

Whatever solution you choose - the most important part is to document that in your API.