3

I am building an app in which users might be blocked for using offensive language. When a user is blocked, his or her app can not access some API calls.

What should be the right HTTP status code when a blocked user tried access these API parts? Error 403 seems like a good choice, but I wonder if there's anything more specific.

nvoigt
  • 75,013
  • 26
  • 93
  • 142
Adam Matan
  • 128,757
  • 147
  • 397
  • 562
  • @user4419802 Made my day. Care to fetch some coffee please? – Adam Matan Mar 05 '15 at 12:44
  • 2
    I don't think there's a specific code for *4xx You have used too many swear words*. Don't overthink it. If the user is **forbidden** to do something, use 403. If you want to be funny, use 418. – deceze Mar 05 '15 at 13:01
  • 1
    @AdamMatan Error 418: I'm a _tea_ pot. – Matt Mar 05 '15 at 13:07
  • 1
    The answer to *"is there's anything more specific"* is No. It is up to you what to send. (Nobody who matters should care about your choice in this context.) – Stephen C May 26 '19 at 03:24
  • @StephenC True. That was my choice back then. Write that as an answer and I'd be happy to accept. – Adam Matan May 26 '19 at 07:07

1 Answers1

4

Just for completeness ....

The answer to the question is that there is no other code that is (clearly) more appropriate than 403. As Wikipedia says:

"HTTP 403 is returned when the client is not permitted access to the resource despite providing authentication - either because authentication failed, or for some reason besides authentication, such as insufficient permissions of the authenticated account. This other reason needs to be acted upon before re-requesting access to the resource."

That is a good fit to the scenario you describe.

The other thing is that since you have blocked the users, you probably don't care what they think about the "correctness" of the status code. Nobody else will care one way or the other.

Ultimately it is your choice.

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216