semantically speaking, api should return error message adapted situation. instance, if user makes request get /article/2386, should return (the user needs auth request api handle rights management):
- article data if exists , user has permission,
- 404 not found error message if doesn't exist,
- 403 forbidden error message if user doesn't have permission.
now wonder if it's not wiser return 403 forbidden in both cases, evil user try randomly scan resources , insights on whether exist or not (403 if exist, 404 if don't).
so advisable return 403 in both cases or "criminal"?
i've hit number of situations before , went other route of 404ing if don't have permissions. rational being there no article of id 2386 can view, therefore notfound. more "you don't have permissions view doesn't exist".
as "is criminal", no. i'm far restefarian consider rest guide making api more intuitive consumers. if security means need change things little bit it. plus, make less intuitive?
i hope helps :).
Comments
Post a Comment