Mixture between 200 (OK) and 403 (Forbidden) HTTP response

Question

do you know if there is a HTTP response code for this use case: "The user is allowed to see a fraction of the called resource but not all of it".

It sounds like a mixture between the 200 response code (because the user is allowed to retrieve some of the resource) and the 403 response code (because the user is not allowed to see all of it).

I guess the 206 response code (Partial Content) makes sense somewhat. But according to the MDN Web Docs* this response sounds very 'technical' and not business case specific.

Thank you for your help!

*https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/206

Answer 1

It would still be a status 200, since they are successfully getting the data they have access to. Whether or not there's other data they don't have access to makes no difference if they're getting what they do have access to. And there's no reason to tell them they don't have access to that other data if they're not trying to access it.

206 Means you're sending the data they have access to in smaller parts.

Imagine a user endpoint. Admin would have access to all user info, whereas a regular user only to their own. So you could have a /user/ to get all and a /user/:id to get a specific user.

If a regular user accesses /user/:id where id is their own id they should get a 200. If they try to access /user/ or /user/:id where id is not their id they should get a 403 (because they're not allowed to use the former and allowed to use the latter, but not get the data for that id). If they're not logged in they should get a 401 (doesn't even matter whether or not they would have access to it if they were logged in).

Same for if you just have a /user/ endpoint, where data is returned based on e.g. their id stored in a cookie. If data is returned: 200. If they're not allowed to use that endpoint: 403. And again, if they're not logged in: 401.