I'm creating a RESTful API and some of the routes I'm building are intended to support typical actions associated with a "group" resource. For my purposes, a group will be an object that allows users of the system to be "members" of the group and allow them to interact with each other, etc. For example, a "group" called "Study Group" might allow students to engage with each other by sharing notes, files, chat messages, etc.
My question is the following: What is the proper way to construct the URL for routes to support the creation, reading, updating, and deletion associated with groups? Should the groups object be organized under a user within the URL? Should groups be separated out as it's own object not subordinate to a single user?
Compare, for instance, the following 2 routes:
GET /users/{id}/groups and
GET /groups Which is better? The first route is good for representing the collection of groups a given user is a member of, but doesn't that imply the user is the absolute owner of the group for all of eternity? When others members want to post a comment to the group should they be forced to use the following route which includes the user's ID? For example, should other users when commenting do something like this?
POST /users/{id}/groups/{id}/comments It seems to me that once a group exists the proper route for interacting with it should be something simple and universal like the following which omits the user's ID from it. This would also make it easy to switch owners/admins of the group without having to update the proper route developers would rely upon:
GET /groups/{id} Is is appropriate/allowable (in REST API terms) to allow a rote which retrieves a user's current groups to still be associated and organized under the user object in the URL, but to do all other interactions with the group directly under a "groups" route that doesn't include the user ID? And if it is okay to organize some calls under a "users" object in the route and have other routes based solely off of a "group" object won't that require "user_id" values to be passed as part of the manipulation calls (so as to know, for example, who is making the comment within a group)?
I want to do something that is right and makes sense. Looking for other people to offer advice and double check my thinking before I commit to what I'm doing.
Thanks in advance!
One last thought I had while writing up this question...
If I do keep the groups object subordinate to the user then perhaps that's fine. I say that because any route call in the future made by any other user who is a member of the group will make calls to the shared group resource based off of their own unique values within the route. In other words, once a user is a member of a group the resulting route they'd ping in order to do something is unique for each user, but references a shared resource.
For instance, two users A and B posting a comment to a group (with ID 52135) might be the following:
// User A's unique route to post a comment to the group POST /users/2867823/groups/52135/comments // User B's unique route to post a comment to the group POST /users/8872341/groups/52135/comments 
