Reputation: 3059
what is Correct Exception to raise in a rest API in response to request to delete a resource without enough permission?
I'm creating a rest API, using ASP.net Core and bit-framework
We want to allow the clients to be able to delete just the resources that they have created themselves
Questions:
In case a client asks to delete a resource which is created by another client,
what is the best exception to raise in the API?
What is the most correct HTTP status code to return?
All the exception implemented in
Bit.Owin.Exceptionsnamespace are:\BadRequestExceptionResourceNotFoundExceptionAppExceptionDomainLogicException
should I stick to this list of exceptions in my API? Is this list of exceptions going to be including more exceptions to cover more scenarios?
I think one of these status codes must be returned, but which one suites better our condition?:
- 403 Forbidden
- 405 Not Allowed
- 409 Resource Conflict
Upvotes: 1
Views: 194
Answers (2)
Reputation: 3317
Based on @cassiomolin's answer, you can create your own exception type based on following docs:
https://docs.bit-framework.com/introduction/web-api#exception-handling
add exception type to bit framework known exceptions
public class CanNotDeleteOtherClientResourceException : Exception, IKnownException, IHttpStatusCodeAwareException
{
public CanNotDeleteOtherClientResourceException(string message)
: base(message)
{
}
public HttpStatusCode StatusCode { get; set; } = HttpStatusCode.Forbidden;
}
Upvotes: 1
Reputation: 130907
I'm not familiar with the framework you are using. But let me give you my 2 cents. From the API consumer point of view, the 403 status code seems to be a quite reasonable choice for the situation described in your question:
The
403(Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload (if any). [...]
Alternatively, if you intend to hide the existence of a resource, throw an exception that maps to 404:
An origin server that wishes to "hide" the current existence of a forbidden target resource MAY instead respond with a status code of
404(Not Found).
Upvotes: 3
Related Questions
- Correct HTTP response code for Delete API if resource is in use and cannot be deleted
- What is the HTTP response code for failed HTTP Delete operation?
- Desired HTTP response code when unable to delete a resource
- RestAssured delete method returns status code 405
- Change the action for DeleteBehavior.Restict exception
- REST-API, proper HTTP status code for invalid DELETE
- 404 Rejected-By-UrlScan Delete Request
- What should return if a client issues a DELETE to a web API resource which doesn't exist
- Not found vs Method not allowed when deleting resource via Restful service
- Which HTTP status code to return when the DELETE operation is not allowed for particular reason