[thelist] 403 or 404?
Ken Schaefer
Ken at adOpenStatic.com
Tue Jun 5 23:46:58 CDT 2007
404 = Object Not Found
403 = Access Denied
So the question you need to ask yourself - if someone is accessing a resource
they are not authorized to view, is that "Access Denied"? or "Object Not
Found"? Sounds like the former to me.
Cheers
Ken
-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Bill Moseley
Sent: Wednesday, 6 June 2007 2:23 PM
To: thelist at lists.evolt.org
Subject: [thelist] 403 or 404?
Say I have a web application where someone must be logged in.
To view an object a user makes a request like:
/object/21
where 21 is the primary key in the object table. If the user *owns*
object 21 they can view it. If the user does not own the object do
they get 403 or 404? Kind of seems like a 403.
What if the request is for an id that doesn't exist? Does that make a
difference?
/object/393928128
I'm thinking 404 in both cases (which I guess is withing the spec).
Would you handle things differently if the object id was
part of a query string?
/object?id=21
Or in a hidden field in a posted form?
More information about the thelist
mailing list