Reputation:
Correct HTTP status code when resource is available but not accessible because of permissions
I am building a RESTful protocol for Dynamic Carpooling applications, for my Computer Science thesis.
In the Protocol I also have to formally specify the HTTP status code for each operation. I've got this "privacy related" problem. Suppose the following:
GET /api/persons/angela/location
Retrieves the current position of user "angela". It is obvious that not everybody should be able to obtain a result. Only angela itself and a possible driver that is going to pick her should be able to know it.
I can not decide whether to return a 404 Not Found or a 401 Forbidden here.
Any hints? What would be the best one and why?
Upvotes: 20
Views: 38081
Answers (6)
Reputation: 126
At the date of this post, 13 Nov 2023, the current RFC may recommend 403 for insufficient permissions.
https://datatracker.ietf.org/doc/html/rfc9110#name-403-forbidden
Upvotes: 0
Reputation: 935
If the user has valid credentials, but does not have permission to view the resource, error 403. If he is not authenticated, and needs to be, error 401. According to rfc https://www.rfc-editor.org/rfc/rfc2616#section-10.4.2, error 401 indicates missing credentials, and error 403 indicates other authorization issues, such as not being granted permission despite being logged in. But it should only be used if you explain the reason for the refusal (lack of permission for example), if no explanation for the refusal of an authenticated user is provided, you can use the 404 error, according to the RFC.
Upvotes: 0
Reputation: 164
To me I will use 400 Bad request.
Because my application will not go unaccessable resources in programmatically.
Filtering users permission and hide unaccessable resources is good user experience in my opinion.
If my server got unaccessable request which means some person trying to do something.
That is why I choose 400 - Bad request in my applications.
Upvotes: 2
Reputation: 2307
According to Wikipedia (and RFC 2616), a 401 code is used when a page exists but requires authentication; 403 is for a page where authenticating won't change anything. (In the wild, 403 usually means the permissions on something are wrong, whereas a 401 will prompt the user for a username/password). 404 is for where the document simply doesn't exist.
In your case, it seems like 401 is the most appropriate code, since there is some way of authenticating the users who DO have access to the page.
Upvotes: 41
Reputation: 142014
If authorization credentials are provided in the request and the requester does not have permissions to access this resource then you should return 403.
If no authorization credentials are provided in the request then you should return 401.
Upvotes: 8
Reputation: 5582
Definitely NOT 404. 404 is just Not Found.
401 is access denied.
403 is forbidden.
I would go with 401
Upvotes: 4
Related Questions
- HTTP Status Code for Resource not yet available
- Status code for "resource will never be available in this case"
- What's an appropriate HTTP status code for "requested resource isn't found"?
- Correct http status code for resource which requires authorization
- HTTP Status Code for Authenticated but Unauthorized?
- REST response code for accessing a corrupt/invalid resource
- what should be HTTP status code if resource is not available for requested action?
- Correct HTTP status code for existent resource, but non-existent entity?
- REST HTTP status code for "success, and thus you no longer have access"
- What is the correct status code for a RESTful resource when the request method is allowed, but the action cannot be completed