Correct HTTP status code when resource is available but not accessible because of permissions

views:

answers:

Correct HTTP status code when resource is available but not accessible because of permissions

I am building a RESTful protocol for Dynamic Carpooling applications, for my Computer Science thesis.

In the Protocol I also have to formally specify the HTTP status code for each operation. I've got this "privacy related" problem. Suppose the following:

GET /api/persons/angela/location

Retrieves the current position of user "angela". It is obvious that not everybody should be able to obtain a result. Only angela itself and a possible driver that is going to pick her should be able to know it.

I can not decide whether to return a 404 Not Found or a 401 Forbidden here.

Any hints? What would be the best one and why?

+4 A:

According to Wikipedia, a 401 code is used when a page exists but requires authentication; 403 is for a page where authenticating won't change anything. (In the wild, 403 usually means the permissions on something are wrong, whereas a 401 will prompt the user for a username/password). 404 is for where the document simply doesn't exist.

In your case, it seems like 401 is the most appropriate code, since there is some way of authenticating the users who DO have access to the page.

Phil 2010-08-23 12:30:22

Good one! Quite the whole protocol operations require authentications. I've got cases in which resources are available but cannot be retrieved because of user rights and also cases in which resources are not available because the were previously deleted. Both cases are under authenticated operations. Would you go for a 401 in the first case and a 404 for the second case?Therefore: resource exists but you can not access it -> 401 resource does not exist -> 404

bodom_lx 2010-08-23 12:36:14

Yes, if a resource was deleted, a 404 is appropriate if an attempt is subsequently made to access it.

Phil 2010-08-23 21:12:57

Good answer, but I'd prefer "according to Wikipedia" to say "according to RFC 2616" http://tools.ietf.org/html/rfc2616#section-10.4.2 ;)

Day 2010-10-28 00:56:44

Definitely NOT 404. 404 is just Not Found.
401 is access denied.
403 is forbidden.

I would go with 401

DmitryK 2010-08-23 12:33:03

+1 A:

If authorization credentials are provided in the request and the requester does not have permissions to access this resource then you should return 403.

If no authorization credentials are provided in the request then you should return 401.

Darrel Miller 2010-08-23 12:51:53

If authorization credentials are provided in the request and the requester does not have permissions to access this resource then you should return 401 not a 403. RFC 2616 explicitly says that for a 403, "Authorization will not help and the request SHOULD NOT be repeated" (http://tools.ietf.org/html/rfc2616#section-10.4.4). So if there are valid credentials that would give permission to access the resource, don't return a 403.

Day 2010-10-28 00:54:50

@Day You are absolutely correct. My answer is wrong. Hmm, you learn something new every day.

Darrel Miller 2010-10-28 01:29:45

@Darrel Miller No worries. How about having a stab at my spin off question http://stackoverflow.com/q/4038981/445073 :)

Day 2010-10-28 02:44:23

ansaurus

tags:

views:

answers:

Correct HTTP status code when resource is available but not accessible because of permissions

related questions