[英]What https status code to use when user has access to url but not to query parameters?
Good day, 美好的一天,
What http status code should be used when the requester has access to that url but had improper query parameters. 当请求者可以访问该URL但查询参数不正确时,应使用什么http状态代码。
Let's say something like this: 我们这样说:
As user 100, I can access http://example.com/bankaccount/get?id=100 作为用户100,我可以访问http://example.com/bankaccount/get?id=100
However, I should not be able to see the bank account of another user, let's say via http://example.com/bankaccount/get?id=200 . 但是,我应该看不到其他用户的银行帐户,例如通过http://example.com/bankaccount/get?id=200 。
Which HTTP Status code should be used? 应该使用哪个HTTP状态代码?
If the access is forbidden, return 403 : 如果禁止访问,则返回403 :
The server understood the request, but is refusing to fulfill it. 服务器理解了该请求,但拒绝执行该请求。 […] If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. […]如果请求方法不是HEAD,并且服务器希望公开为何未满足请求的原因,则应在实体中描述拒绝原因。 If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead. 如果服务器不希望将此信息提供给客户端,则可以改用状态代码404(未找到)。
But I don't see the point of explicitly specifying the ID anyway as you already now the user's ID. 但是我仍然看不到明确指定ID的意义,因为您现在已经是用户的ID。 So /bankaccount/get
should suffice in this case. 因此,在这种情况下, /bankaccount/get
应该足够了。
In your example I would either send a 302, redirecting him to an error page, or a 200 with a custom error page right there. 在您的示例中,我要么发送302,将其重定向到错误页面,要么发送200,并在其中添加自定义错误页面。 This will be the most user friendly version. 这将是最用户友好的版本。
Edit: If you want to opt for something in the 4xx area of status codes, make sure the webserver supplies an appropriate error page. 编辑:如果要在状态代码的4xx区域中选择某些内容,请确保Web服务器提供适当的错误页面。 The average user will not be happy to see a white screen with "403 - Forbidden". 普通用户不会看到显示“ 403-Forbidden”的白色屏幕。 403 with a custom error page is a good solution to this problem. 带有自定义错误页面的403是解决此问题的好方法。
I vote for 403 - Forbidden, since it's a legitimate request, but not allowed for the current user. 我投票给403-禁止,因为这是合法请求,但当前用户不允许。
If the query parameter names were wrong, on the other hand, it should probably be 404. 另一方面,如果查询参数名称错误,则应该为404。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.