[thelist] 403 or 404?

[Bill Moseley]

On Wed, Jun 06, 2007 at 12:40:27AM -0700, jenny w wrote:
> What would be the benefit of a status of either 404 or 403? Is it for
> the purpose of supporting robots, providing an API, or something else?
>  I think it'd actually be kind of weird to use either of these codes.
> In most Web applications, it's much more common to use status codes of
> 200 OK or 3xx redirects.  For example, a status of 200 would be fine
> because the URI would load but simply display different information
> depending on a user's permission level.

In this case, though, /object/22 is valid for one user but for another
user that resource just doesn't exist.  You can argue it's a 403 if
the object actually does exist in the database and a 404 if it
doesn't, but the spec says you can use a 404 in both cases.

The situation is you have a page where a list of links to the user's
objects is displayed.  The user may decided to try using different
object ids just to see what happens.  When handling that link all
the application knows is a request was made with an invalid object id
for that user.  Of course, you don't know if the invalid is id is a
hacking attempt or an error in the previous page generation.

(And actually, in my case in my Controller I don't even know if the
object exists or not for other users as the Controller is just asking
the mode for the user's object for the given id and the Model is
returning "doesn't exist".)

> Alternatively, you could use a redirect to an index, a list, a
> search form, a create form, whatever.

That's actually what I have done in the past:

    /path/to/object     - display list of objects user owns
    /path/to/object/22  - display object 22
    /path/to/object/abc - invalid, so ignore and show list
    /path/to/object/33  - not owned by user, also invalid, show list

And in the last two cases a message is displayed that an invalid
item was requested.  I actually prefer that method than issuing ugly
404 or 403 pages.

-- 
Bill Moseley
moseley at hank.org