Response code 404 Vs 403 when operation is not allowed
Related to : https:/
when a member (non-admin) tries to reboot server belonging to different tenant, one would expect that 403-unauthorized HTTP code should be returned.
Setup
=====
Use RESTClient to POST to the following URL
http://<IPADDR>
JSON Body :
{
"reboot" : {
"type" : "HARD"
}
}
x-auth-token belongs to non-admin member for tenant1
Actual Response received :
{"itemNotFound": {"message": "The resource could not be found.", "code": 404}}
Should expected response be "403-unauthorized" ?
Current response 404 makes sense based on the fact that UUID of server provided does not belong to the tenant. So even before checking what actions are allowed or not, code returns "not found"
This would be similar even when invalid UUID is provide (e.g. string "ThisIsDummyUUID") - i.e. we'll get 404
Please comment whether 403 should be returned for "valid-
Question information
- Language:
- English Edit question
- Status:
- Answered
- Assignee:
- No assignee Edit question
- Last query:
- Last reply:
Can you help with this problem?
Provide an answer of your own, or ask Mandar Vaze for more information if necessary.