Explorer API returns HTTP 403 forbidden for non-existent resources

evolvedbinary / fusion-studio-api

Server Side API for Fusion Studio

GNU Affero General Public License v3.0

5 stars 3 forks source link

Explorer API returns HTTP 403 forbidden for non-existent resources #29

Open adamretter opened 4 years ago

adamretter commented 4 years ago

When accessing a resource that does not exist via the /explorer API, we should we return HTTP 403 or HTTP 404. Arguable 403 is more secure, but perhaps misleading... we need to give this some thought.

duncdrum commented 3 years ago

has thought been given? 403 seems the better choice to me, not sure how it is misleading because the /explorer endpoint is there?

adamretter commented 3 years ago

I think that if the user is authorized and the resource does not exist then the response should be 404, if the user is not authorized that takes priority and the response should be 403