What is the best practice for a response if the user tries to write to a field he or she is not allowed?
Imagine the user wants to create a resource, for example a pizza: POST /pizza
The body:
{
"name": "Hawaii",
"base": "tomato sauce",
"firstMain": "ham",
"secondMain": "pineapple",
"cheese": true
}
Problem is, you can't put secondMain
on a pizza (because its pineapple). What's better? Return a 403 error with the message that field secondMain is not writable
or return a 201 with the created pizza but without the secondMain
?
What's the best practice for this problem? Didn't found anything on Google.