Menu
I am sure people have many different opinions on this.
I want to know how other developers think about handling this scenario.
The web application/service requires authentication (i.e., the user needs to be logged in).
It is not publicly accessible.
Example URL: ~/PurchaseOrder/View/1234
How do you decide between the following two options:
Lets say the Purchase Order record is retrievable from a web service in JSON format.
Obviously, the API would return HTTP 404 if the record does not exist.
But how should it respond when the user does not have permission to view that particular Purchase Order record? Sets response code to 404 and return an error message in JSON???
Thanks!
415
If the server does not know, or has no facility to determine, whether or not the condition is permanent, the status code 404 (Not Found) SHOULD be used instead. This response is cacheable unless indicated otherwise.
If at any point some path part is not found, you should throw 404 eagerly.
The HTTP 404 Not Found response status code indicates that the server cannot find the requested resource. Links that lead to a 404 page are often called broken or dead links and can be subject to link rot.
For a REST web service API, return 404 if the record is not found. If the user does not have permission, return 403 "Forbidden" if you want to make it known that the record exists but the user does not have permission. Return 404 if you do NOT want to disclose the fact that the record exists when the user does not have permission to view it.
From the HTTP spec:
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.
For the web application scenario, it is probably more technically correct to return a 404 (or 403) along with a friendly error page in the body of the response in case of an error, but returning a 200 may result in a better user experience, depending on what browsers your audience is using. (I have heard of problems with some old browsers ignoring the custom error page with a 4xx error and instead displaying their own internal error page, whereas they will always display the content of a 200 response. Modern browsers should not have this problem though.)
59
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
