如果用户尝试执行对他们不可用的操作,什么是适当的 HTTP 错误代码
What is appropriate HTTP error code if user try to perform action not available for they
我对 HTTP 代码响应有疑问。
用例:
有用户的用户尝试修改仅供具有版主权限的用户编辑的记录(由业务逻辑强制执行)。
预期的 HTTP 状态响应是什么?
我确定以下状态是错误的。
200 是错误的,因为操作不成功400好像是错误的,因为所有请求部分都是正确的(body/headers/method)
我考虑 401 Unauthorized 或 403 Forbidden,但我没有任何论据可以应用。
您期望什么状态?
我希望是 403。401 通常用于登录失败之类的事情,403 用于尝试在登录后执行不允许您执行的操作。
I consider 401 Unauthorized or 403 Forbidden, but I don't have any argument to apply.
403 status code seems to be suitable for the situation described in your question. However, if the server wants to "hide" the existence of a resource, then 404 can be used instead. See the following quote from the RFC 7231:
The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload (if any).
If authentication credentials were provided in the request, the server considers them insufficient to grant access. The client SHOULD NOT automatically repeat the request with the same credentials. The client MAY repeat the request with new or different credentials. However, a request might be forbidden for reasons unrelated to the credentials.
An origin server that wishes to "hide" the current existence of a forbidden target resource MAY instead respond with a status code of 404 (Not Found).
401 status code is meant to be used for HTTP authentication (where the credentials are sent in the Authorization header) 表示该请求的凭据已被拒绝。
我对 HTTP 代码响应有疑问。
用例:
有用户的用户尝试修改仅供具有版主权限的用户编辑的记录(由业务逻辑强制执行)。
预期的 HTTP 状态响应是什么?
我确定以下状态是错误的。
200是错误的,因为操作不成功400好像是错误的,因为所有请求部分都是正确的(body/headers/method)
我考虑 401 Unauthorized 或 403 Forbidden,但我没有任何论据可以应用。
您期望什么状态?
我希望是 403。401 通常用于登录失败之类的事情,403 用于尝试在登录后执行不允许您执行的操作。
I consider
401 Unauthorizedor403 Forbidden, but I don't have any argument to apply.
403 status code seems to be suitable for the situation described in your question. However, if the server wants to "hide" the existence of a resource, then 404 can be used instead. See the following quote from the RFC 7231:
The
403(Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload (if any).If authentication credentials were provided in the request, the server considers them insufficient to grant access. The client SHOULD NOT automatically repeat the request with the same credentials. The client MAY repeat the request with new or different credentials. However, a request might be forbidden for reasons unrelated to the credentials.
An origin server that wishes to "hide" the current existence of a forbidden target resource MAY instead respond with a status code of
404(Not Found).
401 status code is meant to be used for HTTP authentication (where the credentials are sent in the Authorization header) 表示该请求的凭据已被拒绝。