Reputation: 14581
What is the appropriate http response code for a DELETE that depends on something else?
Say I want to do DELETE /groups/20, and that my business rules state you cannot delete a group as long as it has members.
- If DELETE succeeds, I would return
200or204 - If group 20 does not exist, I would return
404 - If the user is not authenticated, I would return
401. - If the user is authenticated but does not have rights on group 20, I would return
403 - If group 20 exists, user is authenticated, request is fine, but you cannot delete group 20 because it contains members?
What would you return in that case? 400? But the syntax is perfectly formed. 403? Well, yes, it is forbidden, but 403 has come to generally mean, "you don't have the right to perform this action", as opposed to, "you have the right, but some prerequisite is not met, take care of those and then come back."
Upvotes: 4
Views: 230
Answers (1)
Reputation: 41898
If the user is able to correct the request by deleting the members and trying to delete the group again, you should return 409 Conflict. RFC 7231 says:
The 409 (Conflict) status code indicates that the request could not be completed due to a conflict with the current state of the target resource. This code is used in situations where the user might be able to resolve the conflict and resubmit the request. The server SHOULD generate a payload that includes enough information for a user to recognize the source of the conflict.
You said on the comments that 409 Conflict seems more to be reserved for double-creating something, but "seems reserved" is almost an oxymoron. If something is reserved, the RFCs are usually quite explicit about it and use the keyword MUST. RFC 7231 mentions the case of conflict edits due to PUT requests as the more common case, but nowhere it says the status code is reserved to that.
Conflicts are most likely to occur in response to a PUT request. For example, if versioning were being used and the representation being PUT included changes to a resource that conflict with those made by an earlier (third-party) request, the origin server might use a 409 response to indicate that it can't complete the request. In this case, the response representation would likely contain information useful for merging the differences based on the revision history.
Upvotes: 2
Related Questions
- Correct HTTP response code for Delete API if resource is in use and cannot be deleted
- REST, HTTP DELETE and parameters
- How to model the consequences of HTTP DELETE action without actually doing it
- RESTful - What should a DELETE response body contain
- What is the HTTP response code for failed HTTP Delete operation?
- Desired HTTP response code when unable to delete a resource
- Right way to handle DELETE request on RESTful API
- RESTful delete strategy
- Correct way of using REST DELETE?
- REST: DELETE and Business Logic conditions