1

Given I want to create a resource which has many subresources. The given parameters look like this:

{  
    "data":{  
        "name":"foo",
        "subresources":[  
            {  
                "id":1
            },
            {  
                "id":2
            }
        ]
    }
}

What HTTP error should I return if the current user is not allowed to see the subresource with id = 2?

I considered those:

  • 400: invalid_parameter - validation at the api entry point level
  • 422: invalid_record - validation at the model level
  • 404: not_found - because this is what the user gets if he is not authorized to GET /subresources/2
  • 403: forbidden - because you're not allowed to see this resource

Thank you for your help.

Update: I'm also considering 403.

Erem
  • 1,356
  • 2
  • 13
  • 18

2 Answers2

2

If a user with the correct credentials could make this request to the server successfully, then the appropriate response would be 401 - Unauthorized.

In your error message, it would be prudent to indicate that you want to reject the request because a specific value is not available to that user; this way, the request can be retried by the client sans anything they aren't able to access.

Makoto
  • 96,408
  • 24
  • 164
  • 210
  • 401 Not authorized is about authentication, not authorization. The user is logged here, so I don't think 401 would fit here. – Erem Sep 10 '15 at 16:28
  • @Erem: Could you say that again? Are you saying that "Not Authorized" is about **authentication**? Are you *sure* that's correct? – Makoto Sep 10 '15 at 16:29
  • I'm saying 401 'not-authorized-authenticated-or-whatever-you-want-to-call-it' means the credentials you provided are not enough to identify an account. So yeah, I'm talking about authentication here. See: http://stackoverflow.com/a/6937030/692751 Authorization means: "Okay you're logged but you don't have sufficient privileges to perform this action." Is there something wrong with my statements? – Erem Sep 10 '15 at 20:38
1

See the list of HTTP status codes; you're probably looking for the "401 - Not Authorized" code.

eykanal
  • 23,724
  • 17
  • 75
  • 107
  • 401 Not authorized is about authentication, not authorization. The user is logged here, so I don't think 401 would fit here. – Erem Sep 10 '15 at 16:27