Closed jordan2175 closed 5 years ago
Allan's proposed new text is:
This Endpoint deletes an object from a Collection by its id. For STIX 2 objects, the {object-id} MUST be the STIX id.
If the Collection specifies can_write as false for a particular client, this Endpoint MUST return an HTTP 401 (Unauthorized) error.
The DELETE endpoint is not supported for write-only collections, where can_write is true and can_read is false. If a client attempts a DELETE operation on a write-only collection, then the server should return HTTP 403 (Forbidden).
To support removing a particular version of an object, this Endpoint supports filtering as defined in section 3.4. The only valid match parameter is version.
When a TAXII Server returns a successful response code of 200 to a DELETE, any subsequent attempts to fetch that object from the collection by an authorized client using the Get Objects Endpoint MUST return a HTTP 404 (Not Found) response. Furthermore, any subsequent attempts to fetch the collection manifest or its contents MUST NOT return the object in the result. Subsequent attempts to fetch the object from other collections present on the TAXII server MAY also return an HTTP 404 (Not Found) response, and subsequent attempts to fetch the collection manifest or its contents of other collections which contained the object MAY not return the object in the result.
There was also an issue with some text description about the {object-id}. It has said "requested" when it should have said "deleted".
I have rewritten this section to address all of the feedback from Allan and John. The new text looks like this:
If a client fails authentication then this endpoint MUST return either an HTTP 401 (Unauthorized) or an HTTP 404 (Not Found).
The following table defines the conditions and possible error codes that can be returned once a client has successfully authenticated to this endpoint. If the collection specifies the following permissions for the authenticated client and the client attempts to delete an object at this endpoint, then this endpoint MUST return the error codes as defined in the following table. It is important to note that the DELETE endpoint is not supported for write-only collections, where can_read is false and can_write is true.
This has been addressed in working draft 04.
Allan has found an issue with the text around error codes that need to be returned for the Delete HTTP method. I will take his text and add it to the Google Doc in suggestion mode.