Different REST resource content based on user viewing privileges

Question

I want to provide different answers to the same question for different users, based on the access rights. I read this question:

Excluding private data in RESTful respons

Answer 1

According to Fielding's dissertation (it really is a great writing):

A resource is a conceptual mapping to a set of entities, not the entity that corresponds to the mapping at any particular point in time.

In other words, if you have a resource that is defined as "the requesting user's assigned projects" and representations thereof accessible by a URI of /projects, you do not violate any constraints of REST by returning one list of projects (i.e., representation) for user A and another (representation) for user B when they GET that same URI. In this way, the interface is uniform/consistent.

In addition to this, REST only prescribes that an explicit caching instruction be included with the response, whether that is 'cache for this long' or 'do not cache at all':

Cache constraints require that the data within a response to a request be implicitly or explicitly labeled as cacheable or non-cacheable.

How you choose to manage that is up to you.

Keeping that in mind,

You should feel comfortable returning a representation of a resource that varies depending on the user requesting a representation of a particular resource, as long as you are not violating the constraints of a uniform interface -- don't use a single resource identifier to return representations of different resources.

If it helps, consider that the server responds with varying representations of a resource as well -- XML or JSON, French or English, etc. The credentials sent with the request are just another factor the server is able to use in determining which representation to to send in response. That's what the header section is there for.