Web API return 403 Forbidden 是否应该有端点?
Should Web API return 403 Forbidden or not have an endpoint at all?
我有一个网络 API,对于一个模型,我只允许通过 ID [GET] api/models/{modelId} 或更新 [PUT] api/models/{modelId} 获取。 API 不支持 POST、DELETE 或获取集合 ([GET] api/models)。
在Controller和returnForbid()403状态下应该还有这些方法吧?
或者我应该简单地删除这些方法吗?
HTTP response status codes 的完整列表可以帮助您确定最合适的回复。
403 Forbidden不符合您描述的情况:
The client does not have access rights to the content; that is, it is unauthorized, so the server is refusing to give the requested resource. Unlike 401, the client's identity is known to the server.
另一方面,405 Method Not Allowed似乎适合这种情况:
The request method is known by the server but has been disabled and cannot be used. For example, an API may forbid DELETE-ing a resource. The two mandatory methods, GET and HEAD, must never be disabled and should not return this error code.
Note:
The server MUST generate an Allow header field in a 405 response containing a list of the target resource's currently supported methods.
我有一个网络 API,对于一个模型,我只允许通过 ID [GET] api/models/{modelId} 或更新 [PUT] api/models/{modelId} 获取。 API 不支持 POST、DELETE 或获取集合 ([GET] api/models)。
在Controller和returnForbid()403状态下应该还有这些方法吧?
或者我应该简单地删除这些方法吗?
HTTP response status codes 的完整列表可以帮助您确定最合适的回复。
403 Forbidden不符合您描述的情况:
The client does not have access rights to the content; that is, it is unauthorized, so the server is refusing to give the requested resource. Unlike 401, the client's identity is known to the server.
另一方面,405 Method Not Allowed似乎适合这种情况:
The request method is known by the server but has been disabled and cannot be used. For example, an API may forbid DELETE-ing a resource. The two mandatory methods,
GETandHEAD, must never be disabled and should not return this error code.
Note:
The server MUST generate an Allow header field in a 405 response containing a list of the target resource's currently supported methods.