当资源可用但由于权限而无法访问时，请更正HTTP状态代码 [英] Correct HTTP status code when resource is available but not accessible because of permissions

问题描述

我正在为我的计算机科学论文构建一个用于动态拼车应用程序的RESTful协议。

I am building a RESTful protocol for Dynamic Carpooling applications, for my Computer Science thesis.

在协议中，我还必须正式指定每个操作的HTTP状态代码。我有这个隐私相关的问题。假设如下：

In the Protocol I also have to formally specify the HTTP status code for each operation. I've got this "privacy related" problem. Suppose the following:

GET / api / persons / angela / location

检索用户angela的当前位置。
很明显，不是每个人都应该能够获得结果。只有安吉拉本身和一个可能会选择她的司机应该能够知道。

Retrieves the current position of user "angela". It is obvious that not everybody should be able to obtain a result. Only angela itself and a possible driver that is going to pick her should be able to know it.

我无法决定是否返回404 Not Found或401 Forbidden这里。

I can not decide whether to return a 404 Not Found or a 401 Forbidden here.

任何提示？什么是最好的？为什么？

Any hints? What would be the best one and why?

推荐答案

根据维基百科（和 RFC 2616 ），当页面存在但需要认证时使用401代码; 403用于认证不会改变任何内容的页面。 （在野外，403通常意味着对某些内容的权限是错误的，而401将提示用户输入用户名/密码）。 404用于文档根本不存在。

According to Wikipedia (and RFC 2616), a 401 code is used when a page exists but requires authentication; 403 is for a page where authenticating won't change anything. (In the wild, 403 usually means the permissions on something are wrong, whereas a 401 will prompt the user for a username/password). 404 is for where the document simply doesn't exist.

在您的情况下，似乎401是最合适的代码，因为有一些方法可以验证用户谁有权访问该页面。

In your case, it seems like 401 is the most appropriate code, since there is some way of authenticating the users who DO have access to the page.

这篇关于当资源可用但由于权限而无法访问时，请更正HTTP状态代码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！