Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

REST HTTP status code if DELETE impossible

My question is quite a generic one about HTTP status code when a DELETE is impossible on the resource (but not regarding user's rights).

We have a RESTful API on a type of resource.

The DELETE method is authorized on the resource however under some conditions a resource cannot be deleted (if there are data binded to this resource).

What is the correct HTTP status code to return to the client in this situation?

Here are some of the possibilities I gathered and why it seems inappropriate in my case :

  • 403 (Forbidden) : Seems mostly related with user's rights.
  • 405 (Method Not Allowed) : Seems like the API is not designed to respond to this method for this type of resource.
  • 409 (Conflict) : Seems appropriate but the client should have the possibility to resolve the conflict with the API but that's not the case here.

Update : The data binding that prevents the resource to be deleted cannot be changed via the REST API. However the resource can be "freed" via other way as the database from which the data comes from is also accessed by other apps that may change the state of a resource (an SQL DELETE in the DB can always do that).

like image 872
Matt Avatar asked Aug 04 '14 15:08

Matt


People also ask

What HTTP status code for delete?

For a DELETE request: HTTP 200 or HTTP 204 should imply "resource deleted successfully". HTTP 202 can also be returned by either operation and would imply that the instruction was accepted by the server, but not fully applied yet.

Should a delete return 404?

If you DELETE something that doesn't exist, you should just return a 204 (even if the resource never existed). The client wanted the resource gone and it is gone. Returning a 404 is exposing internal processing that is unimportant to the client and will result in an unnecessary error condition.

Should Put return 200 or 204?

200 OK - This is the most appropriate code for most use-cases. 204 No Content - A proper code for updates that don't return data to the client, for example when just saving a currently edited document.

Which HTTP status code should be returned when we try to delete a resource but our API does not allow to delete it?

If the item is was successfully deleted, return 200 (the resource exists as of the time of the request, and the action was executed). If it's being queued for execution, return 202. If the resource has already been deleted, return 410. If it otherwise doesn't exist, return 404.


2 Answers

I'd say 409 is the most appropriate, given it's wording in the RFC:

The 409 (Conflict) status code indicates that the request could not be completed due to a conflict with the current state of the target resource. This code is used in situations where the user might be able to resolve the conflict and resubmit the request. The server SHOULD generate a payload that includes enough information for a user to recognize the source of the conflict.

(emphasis mine)

Based on my understanding of the description in the question, the reason for DELETE not being allowed is exactly a conflict with the current state of the target resource. As indicated in the RFC, the response payload can give an indication of the reason and, optionally, the user might be able to resolve it. I don't see anything in the spec that makes 409 inappropriate just because the API doesn't offer a conflict resolution possibility.

like image 100
E-Riz Avatar answered Oct 02 '22 13:10

E-Riz


A 409 Conflict response is definitely wrong if the client can't resolve the conflict and delete the request later. That is, unless the resource has state tracking whether it can be deleted or not, 409 Conflict is not a good fit.

A 403 Forbidden doesn't necessarily mean not authorized:

However, a request might be forbidden for reasons unrelated to the credentials.
   -- RFC 7231

The implication is usually there, though. You can use this code, but it may cause some confusion. It'll be especially tricky if the method actually requires authorization also - you'll need a code or something in the response indicating whether the failure was related to authorization or the resource being non-deletable.

I think that 405 Method Not Allowed is the correct way to go.

The 405 (Method Not Allowed) status code indicates that the method received in the request-line is known by the origin server but not supported by the target resource.
   -- RFC 7231

The method DELETE is not supported for this resource. That sounds exactly like what you're describing. The HTTP spec doesn't really have a concept of a type of resource - just a resource. It happens that people group individual resources under the same endpoint for sanity, but that's just a convenience for developers and users. As far as the HTTP spec is concerned, /widgets/12 and /widgets/15 and /widgets/3453 are three different resources. The fact that the same object represents all three of those resources on the server is completely irrelevant. I think that's the "type" you're thinking of, but to HTTP that's just an implementation detail.

like image 28
Eric Stein Avatar answered Oct 02 '22 14:10

Eric Stein