ocket commented on issue #4043: TO: Internal Server error is returned when
user not tenant of the ds assigns/deletes required capability
URL: https://github.com/apache/trafficcontrol/issues/4043#issuecomment-547649192
No, this is - at least for DELETE - correct behavior. A user without tenancy
permissions over a DS should never know that the DS exists. Responding with a
403 circumvents that, by admitting that the DS exists.
When assigning a required capability to a Delivery Service with improper
tenancy, the response should be one of:
- `400 Bad Request` - most common but perhaps more general than we need to be
- `404 Not Found` - immediately tells you that something you were looking
for didn't exist, but sort of implies that it's the URI that's non-existent,
which isn't the case here
- `409 Conflict` - Something about the state of the server is in conflict
with the request, in this case the fact that the requested Delivery Service
doesn't exist (as far as the requesting user knows).
For my money one of the bottom two is best, and I sort of go back and forth
as to which is better. But all three are acceptable.
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services