4

Say I want to do DELETE /groups/20, and that my business rules state you cannot delete a group as long as it has members.

  • If DELETE succeeds, I would return 200 or 204
  • If group 20 does not exist, I would return 404
  • If the user is not authenticated, I would return 401.
  • If the user is authenticated but does not have rights on group 20, I would return 403
  • If group 20 exists, user is authenticated, request is fine, but you cannot delete group 20 because it contains members?

What would you return in that case? 400? But the syntax is perfectly formed. 403? Well, yes, it is forbidden, but 403 has come to generally mean, "you don't have the right to perform this action", as opposed to, "you have the right, but some prerequisite is not met, take care of those and then come back."

deitch
  • 14,019
  • 14
  • 68
  • 96
  • Maybe `409 Conflict`? –  Nov 02 '14 at 10:42
  • Conflict on a delete? Seems strange. `409` seems more to be reserved for double-creating something, e.g. if `name` must be unique and you create an item with the same name as an existing one, or update a name to the same as existing one. – deitch Nov 02 '14 at 10:46
  • @Mat No, because `412` is 'The server does not meet one of the preconditions that the *requester* put on the request.' –  Nov 02 '14 at 10:46
  • @Mat that is interesting. I like it as an idea, but is that what it is really for? I thought it is for explicit headers, like, "delete this resource if some condition is true explicitly" – deitch Nov 02 '14 at 10:47
  • @Tichodroma yep, looks like you are right. See http://stackoverflow.com/questions/5369480/when-is-it-appropriate-to-respond-with-a-http-412-error – deitch Nov 02 '14 at 10:50
  • @Mat No, the *server* imposes the business rules. –  Nov 02 '14 at 10:50
  • Well, that is interesting. I could make it client-side, but here it seems to fit very well with server side. I want the server saying, "no, you cannot delete this because it has dependencies." I might allow for an override option - either allow delete despite dependencies or cascade delete - but that is something else. – deitch Nov 02 '14 at 10:51

1 Answers1

1

If the user is able to correct the request by deleting the members and trying to delete the group again, you should return 409 Conflict. RFC 7231 says:

The 409 (Conflict) status code indicates that the request could not be completed due to a conflict with the current state of the target resource. This code is used in situations where the user might be able to resolve the conflict and resubmit the request. The server SHOULD generate a payload that includes enough information for a user to recognize the source of the conflict.

You said on the comments that 409 Conflict seems more to be reserved for double-creating something, but "seems reserved" is almost an oxymoron. If something is reserved, the RFCs are usually quite explicit about it and use the keyword MUST. RFC 7231 mentions the case of conflict edits due to PUT requests as the more common case, but nowhere it says the status code is reserved to that.

Conflicts are most likely to occur in response to a PUT request. For example, if versioning were being used and the representation being PUT included changes to a resource that conflict with those made by an earlier (third-party) request, the origin server might use a 409 response to indicate that it can't complete the request. In this case, the response representation would likely contain information useful for merging the differences based on the revision history.

Community
  • 1
  • 1
Pedro Werneck
  • 40,902
  • 7
  • 64
  • 85
  • I like this. If you interpret "conflict" as "conflict in state" not "conflict of resources", then it makes sense. Thanks! – deitch Nov 03 '14 at 07:25