magnostherobot
commented
6 years ago For question 1, I believe the file path is required - my thinking is that a client shouldn't be able to delete a file that's been moved, if they don't know the move has happened. Requiring the path asserts that the client knows of any moves made to the file.
As for question 2, it's possible to check what projects a user is a member of by getting their metadata. I think checking that a user is part of a project will suffice for 'basic spec' permission-checking, however since a BE group could implement spectator-type memberships for projects or something similar, HCI/ML groups should be able to handle 401s even if they think they have permission - ideally, when a BE group makes extra permission groups, they'll make a mini-protocol describing how to support them.
Couple simple questions about BE01:
Can a POST request to delete a file be made to the projects/{project_name}/files_by_id/{id} path, or do requests to delete a file have to be made to projects/{project_name}/files/{file_path}?
What would be the best of way of simply checking that a certain token has access permission inside a given project? (i.e. I could request to access a file and check if I get a 401 or not, but I was wondering if there is a neater way).
Thanks!