Given I want to create a resource which has many subresources
.
The given parameters look like this:
{
"data":{
"name":"foo",
"subresources":[
{
"id":1
},
{
"id":2
}
]
}
}
What HTTP error should I return if the current user is not allowed to see the subresource with id = 2?
I considered those:
- 400: invalid_parameter - validation at the api entry point level
- 422: invalid_record - validation at the model level
- 404: not_found - because this is what the user gets if he is not authorized to
GET /subresources/2
- 403: forbidden - because you're not allowed to see this resource
Thank you for your help.
Update: I'm also considering 403.