CODEWITHSUNDEEP
ruby-on-railsapihttp
babie
babie

Reputation: 1447

What is the best HTTP status code for blocked user profile in rails api?

I wrote an API for social app in Rails. This app likes Facebook, users can block other users. If user A block user B, user B can't view profile page of user A. So what is the best HTTP code status I should return: 404, 403, 204 or 200(render nothing) ?

Upvotes: 17

Views: 23223

Answers (2)

Alex Kojin
Alex Kojin

Reputation: 5204

I much prefer to use 403 Forbidden

The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload (if any).

If authentication credentials were provided in the request, the server considers them insufficient to grant access. The client SHOULD NOT automatically repeat the request with the same credentials. The client MAY repeat the request with new or different credentials. However, a request might be forbidden for reasons unrelated to the credentials.

An origin server that wishes to "hide" the current existence of a forbidden target resource MAY instead respond with a status code of 404 (Not Found).

https://www.rfc-editor.org/rfc/rfc7231#section-6.5.3

Upvotes: 21

Nikita Misharin
Nikita Misharin

Reputation: 2020

A best practice for this is 403, however doing so will expose the fact that user has been blocked. If you don't want that, you can return 404. Github, as an example, for unauthorized access to private repos always returns 404.

Upvotes: 6

Related Questions