Proper use of HTTP Error Codes. 550 - Why is it 5xx instead of 4xx?

Bart Calixto picture Bart Calixto · May 13, 2013 · Viewed 8.3k times · Source

Today a co-worked used a 550 error on a delete action when the user doesn't have permission which at first looked to me bad because as I'm aware of, that kinda error looks like a client (aka 4xx) error to me and not a server (aka 5xx).

When looking at the description, it suggest exactly that it was used correctly. Instead of a 401 error, which I was using with some 'problems' before.

Problem of 401 error is : If user A is logged in, and try to do an action that returns a 401 it can suggest that you must 'login' since you don't have valid credentials to access that http resource. Problem with this approach is that if user is logged, server knows that he doesn't have the permission, in this case, looks like a 550 it's more appropriate but doesn't look quite to me that a 550 error should be used in this scenario.

Question is: What's the proper use (if any) of 550 error, in web based applications. I understand it's use in FTP and SMTP relay usage. If some logged in user, sends a request of an action which is not permitted, which error should be returned ?

Thanks!

Answer

Thomas Clayson picture Thomas Clayson · May 13, 2013

5xx errors are SERVER errors. If the user doesn't have permission it should be a 4XX error.

However you're correct. A 401 error means that a user must log in to access. i.e. authentication is required.

The error you're looking for is 403 Forbidden

This has no ambiguity over whether its because a user is logged in or not. Its clear cut.

From the wiki on http error codes (http://en.wikipedia.org/wiki/List_of_HTTP_status_codes) (emphasis mine):

403 Forbidden

The request was a valid request, but the server is refusing to respond to it.[2] Unlike a 401 Unauthorized response, authenticating will make no difference.[2] On servers where authentication is required, this commonly means that the provided credentials were successfully authenticated but that the credentials still do not grant the client permission to access the resource (e.g. a recognized user attempting to access restricted content).

Again, according to the above wiki, there is no such thing as a 550 error. I suppose that you could choose to implement it yourself, but there's probably no need to be honest. It should be a server error as defined in the standards however.