Toward the end of the day today, Alex and I were discussing permissions, usability, and keeping the API dry. The problem is that you have permissions that are part of your app (duh) and these permissions are not the same for every user (duh). Well usability dictates that we should hide unusable actions and unviewable pages (duh). But we want to have a nicely organized API that restfully describes resources. We also want to use that API code for our web tier and we don’t want to have some /classes and /permissions http requests for every web page we render.
Then I finally realized the connection between hypermedia and discoverable restful apis. All the times I’ve read descriptions of discoverable urls in Apis, all I can hear is “Soap! Wisdl! Auto generated code!” And then I lose interest because that’s not my style. What I miss, though, is that HTML pages have this capability built into them. This is great as it allows links between pages forming the whole web thing, but it also gives a pretty intuitive declaration of your permissions model. So including (or specifically excluding the proper API end points do provide all that discoverability stuff, but it also just lets you w express your permissions model in as intuitive a fashion as you can in your HTML code.