REST HTTP status code if DELETE impossible

rest http-status-codes
Matt picture Matt · Aug 4, 2014 · Viewed 21.6k times · Source

My question is quite a generic one about HTTP status code when a DELETE is impossible on the resource (but not regarding user's rights).

We have a RESTful API on a type of resource.

The DELETE method is authorized on the resource however under some conditions a resource cannot be deleted (if there are data binded to this resource).

What is the correct HTTP status code to return to the client in this situation?

Here are some of the possibilities I gathered and why it seems inappropriate in my case :

  • 403 (Forbidden) : Seems mostly related with user's rights.
  • 405 (Method Not Allowed) : Seems like the API is not designed to respond to this method for this type of resource.
  • 409 (Conflict) : Seems appropriate but the client should have the possibility to resolve the conflict with the API but that's not the case here.

Update : The data binding that prevents the resource to be deleted cannot be changed via the REST API. However the resource can be "freed" via other way as the database from which the data comes from is also accessed by other apps that may change the state of a resource (an SQL DELETE in the DB can always do that).

Answer

E-Riz picture E-Riz · Aug 4, 2014

I'd say 409 is the most appropriate, given it's wording in the RFC:

The 409 (Conflict) status code indicates that the request could not be completed due to a conflict with the current state of the target resource. This code is used in situations where the user might be able to resolve the conflict and resubmit the request. The server SHOULD generate a payload that includes enough information for a user to recognize the source of the conflict.

(emphasis mine)

Based on my understanding of the description in the question, the reason for DELETE not being allowed is exactly a conflict with the current state of the target resource. As indicated in the RFC, the response payload can give an indication of the reason and, optionally, the user might be able to resolve it. I don't see anything in the spec that makes 409 inappropriate just because the API doesn't offer a conflict resolution possibility.

Related questions

REST HTTP status codes for failed validation or invalid duplicate

I am building an application with a REST-based API and have come to the point where I am specifying status codes for each requests. What status code should i send for requests failing validation or where a request is trying …

Read More
JAX-RS — How to return JSON and HTTP status code together?

I'm writing a REST web app (NetBeans 6.9, JAX-RS, TopLink Essentials) and trying to return JSON and HTTP status code. I have code ready and working that returns JSON when the HTTP GET method is called from the client. Essentially: @Path("…

Read More
HTTP response code for POST when resource already exists

I'm building a server that allows clients to store objects. Those objects are fully constructed at client side, complete with object IDs that are permanent for the whole lifetime of the object. I have defined the API so that clients …

Read More