Best Approach to show different model fields to different roles from same endpoint

I am facing a challenge where I have 3 different types of user roles, and they should be able to update 3 different sets of fields on the same model that I exposed using a DRF ModelViewSet.

How it should be done ideally. Below are the options that come to my mind.

  • Have different endpoints for each User role and use serializers to control the fields accessible to each role.
  • Have a common endpoint and return different serializers based on the role of logged-in user based on which rest of the base update actions would operate.

I am also open to other suggestions if any.


There is no “ideal method” here. This is an architectural decision, with pros & cons on both sides.

If you create different endpoints, you still need to verify the user role before processing to ensure that the browser submitting the request isn’t issuing that request to the wrong endpoint. (Rule #1 - Never trust anything coming from a browser.)

If you create a common endpoint, then that makes adding a new role a little more difficult, and to a degree is going to make the endpoint a little more complex.

It’s your call. There’s no “right” or “wrong” here.

Considering the first approach, I will have to add endpoints for each new role as well.
Also, I will have to maintain a list of APIs available for each role.

In the 2nd approach, users will have a list of all endpoints, mentioning which type of permission or roles they should have to access that endpoint, it sounds more unified. In this way, I can make changes to the already existing endpoint to allow all types of roles I want without introducing a new endpoint.

Thanks for the answer though.

This is actually easier if you define the urls for the endpoints by role. (e.g., /user/endpoint1, /supervisor/endpoint1, /manager/endpoint1, etc.) This keeps your url structure regular, and allows for some flexibility in your url definitions.