31

Assume that I have a resource (e.g: /api/shipments/100) which supports HTTP DELETE method. As you can understand from the URI itself, if a DELETE request is made against this URI, this resource will be removed.

In my current scenario, the DELETE request can only be performed successfully if a certain condition is met as below:

  • If the shipment state is not set to InTransit or Delivered.

If there is a DELETE request against that URI and the above condition is not met, which HTTP status code would be more proper to return in that case? I have thought about the below ones but couldn't decide which one is more semantic:

  • 405 Method Not Allowed
  • 403 Forbidden
  • 409 Conflict
tugberk
  • 57,477
  • 67
  • 243
  • 335

2 Answers2

31

I would go with 409: Conflict, because what you have is a violation of resource state.

405: Method Not Allowed would also work. If you'd want to use a 405, you'd have to send an Allow header to indicate the supported methods, and the supported methods would vary depeding on the resource's state. In my opinion, this response code fits well for read-only resources, resources that can't be deleted etc. but Darrel's comments to this post are valid. The spec is ambiguous:

The method specified in the Request-Line is not allowed for the resource identified by the Request-URI. The response MUST include an Allow header containing a list of valid methods for the requested resource.

In either case, you should provide information in the response body for the client to understand the source of the error.

Regarding the other two methods mentioned:

403: Forbidden should be used when you don't have the appropriate privileges to modify the resource, i.e. if you have to be an admin to delete that resource and you're not.

412: Precondition Failed is mostly used for conditional requests where the preconditions are specified explicitly in the request headers. For example, you can have conditional PUT requests that should be carried out only when the If-Match header is valid. If you don't specify anything in the request headers, I'd still choose 409 over 412. Here's the spec for 412:

The precondition given in one or more of the request-header fields evaluated to false when it was tested on the server. This response code allows the client to place preconditions on the current resource metainformation (header field data) and thus prevent the requested method from being applied to a resource other than the one intended.

Community
  • 1
  • 1
Alex Ciminian
  • 11,398
  • 15
  • 60
  • 94
  • Do you have a reference for your argument against 405? How can you say that a resource will not ever support a particular method? I don't see an issue with the supported methods changing over time. – Darrel Miller Oct 22 '12 at 14:07
  • Also, if you look at the definition of the Allow header, it includes the comment `The actual set of allowed methods is defined by the origin server at the time of each request` This infers to me that the set of methods "allowed" is expected to change, and the 405 is reflecting the current state. http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-18#section-9.1 – Darrel Miller Oct 22 '12 at 14:21
  • 4
    You win :-) Henrik is voting for 409. That's authoritative enough for me. https://twitter.com/frystyk/status/260383955486912512 – Darrel Miller Oct 22 '12 at 14:27
  • yeah, I agree with @DarrelMiller (on the "authoritative enough" subject) :) The HTTP God has spoken :) – tugberk Oct 22 '12 at 14:30
  • Your point was also valid, I updated my post to reflect that. Cheers! – Alex Ciminian Oct 22 '12 at 14:31
2

I would use 412: Precondition Failed.

Please see this for HTTP status codes

Web Status Codes

War10ck
  • 12,387
  • 7
  • 41
  • 54
Shahid
  • 668
  • 8
  • 16
  • 1
    But it says "The precondition given in one or more of the **request-header fields** evaluated to false when it was tested on the server" which wouldn't be semantic in my opinion. – tugberk Oct 22 '12 at 13:58