Just one pinprick: "discovering capabilities at runtime" is a security antipattern. There can never be wildcard roles. Every interaction must specify one (possibly composed) role.
I think two different meanings of "capabilities" are getting conflated here. In the HATEOAS sense, capabilities are the state transitions a server advertises via hypermedia links – an API discovery mechanism, not an authorization model. Roles and permissions are orthogonal to that and of course still enforced server-side on every request. A server that takes hypermedia seriously only advertises links the current user is actually allowed to follow, which is arguably a security plus.
Also worth noting: that sentence was just a historical aside about Fielding's original definition. The actual argument of the piece is that what most people call REST is really CRUD over HTTP, and that commands and queries are a better fit.
Just one pinprick: "discovering capabilities at runtime" is a security antipattern. There can never be wildcard roles. Every interaction must specify one (possibly composed) role.
I think two different meanings of "capabilities" are getting conflated here. In the HATEOAS sense, capabilities are the state transitions a server advertises via hypermedia links – an API discovery mechanism, not an authorization model. Roles and permissions are orthogonal to that and of course still enforced server-side on every request. A server that takes hypermedia seriously only advertises links the current user is actually allowed to follow, which is arguably a security plus.
Also worth noting: that sentence was just a historical aside about Fielding's original definition. The actual argument of the piece is that what most people call REST is really CRUD over HTTP, and that commands and queries are a better fit.