1

I'm creating a rest API, using ASP.net Core and bit-framework
We want to allow the clients to be able to delete just the resources that they have created themselves

Questions:

In case a client asks to delete a resource which is created by another client,

  1. what is the best exception to raise in the API?

  2. What is the most correct HTTP status code to return?

  3. All the exception implemented in Bit.Owin.Exceptions namespace are:\

    1. BadRequestException
    2. ResourceNotFoundException
    3. AppException
    4. DomainLogicException

    should I stick to this list of exceptions in my API? Is this list of exceptions going to be including more exceptions to cover more scenarios?


  1. I think one of these status codes must be returned, but which one suites better our condition?:

    • 403 Forbidden
    • 405 Not Allowed
    • 409 Resource Conflict
Shahryar Saljoughi
  • 2,599
  • 22
  • 41

2 Answers2

3

I'm not familiar with the framework you are using. But let me give you my 2 cents. From the API consumer point of view, the 403 status code seems to be a quite reasonable choice for the situation described in your question:

6.5.3. 403 Forbidden

The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload (if any). [...]

Alternatively, if you intend to hide the existence of a resource, throw an exception that maps to 404:

An origin server that wishes to "hide" the current existence of a forbidden target resource MAY instead respond with a status code of 404 (Not Found).

Community
  • 1
  • 1
cassiomolin
  • 124,154
  • 35
  • 280
  • 359
1

Based on @cassiomolin's answer, you can create your own exception type based on following docs:

https://docs.bit-framework.com/introduction/web-api#exception-handling

add exception type to bit framework known exceptions

public class CanNotDeleteOtherClientResourceException : Exception, IKnownException, IHttpStatusCodeAwareException
{
    public CanNotDeleteOtherClientResourceException(string message)
        : base(message)
    {
    }

    public HttpStatusCode StatusCode { get; set; } = HttpStatusCode.Forbidden;
}
Yaser Moradi
  • 3,267
  • 3
  • 24
  • 50