I think two different meanings of "capabilities" are getting conflated here. In the HATEOAS sense, capabilities are the state transitions a server advertises via hypermedia links – an API discovery mechanism, not an authorization model. Roles and permissions are orthogonal to that and of course still enforced server-side on every request. A server that takes hypermedia seriously only advertises links the current user is actually allowed to follow, which is arguably a security plus.
Also worth noting: that sentence was just a historical aside about Fielding's original definition. The actual argument of the piece is that what most people call REST is really CRUD over HTTP, and that commands and queries are a better fit.
I entered my zip code… well, wrong country: I’m living in Germany.
And even if you knew that, the only thing you could have known from the zip code is the city. At least roughly, because multiple small villages share one zip code.
Or, to cut it short: This doesn’t work at all on a general and global level, so I guess there’s a reason why websites do this differently…
(I'm asking because it's super annoying that some pseudo-smart people come up with an oh-so-clever approach of "look ma, I have detected AI slop" over and over again, when all they actually do is piss people off who write by hand.)
I mainly intended it as some friendly advice as to what information you better have prominently available on your web site for casual visitors to bother with researching you as an option.
Also worth noting: that sentence was just a historical aside about Fielding's original definition. The actual argument of the piece is that what most people call REST is really CRUD over HTTP, and that commands and queries are a better fit.
reply