Auth, Business rules and HTTP

epigene

Augusts Bautra

Posted on March 27, 2024

Auth, Business rules and HTTP

Say we have an Invitation model. Invitations can be fully CRUDed while they are in draft, but once they are sent, editing should be impossible.

To deny edits, we could start with changes to the UI - perhaps remove links/buttons leading to edit, but this does not preclude users navigating to edit form directly.
Perhaps we can modify the edit form also, make everything disabled, remove submit button.
This should be safe enough for internal systems, but a system facing public internet should probably also have some safety on the back-end - at least in update action and maybe even in the model validation or even readonly level.

This leads us to what HTTP status to respond with if an update request for an already sent Invitation comes in.

Possibilities:

  • bad_request: 400, # tells users they could change request somehow for it to succeed
  • unauthorized: 401, # tells user auth credentials were missing and they need to log in
  • forbidden: 403, # tells user they are logged in, but have no permissions to update
  • precondition_failed: 412, # deals with specific headers
  • unprocessable_entity: 422, # tells user request was understood, but cannot be carried out for some reason

The split is between 400 and 422, and 422 wins because it more clearly communicates that request was OK, and that there is nothing the user can change to make the request succeed.

See also SO thread of 400 VS 422

💖 💪 🙅 🚩
epigene
Augusts Bautra

Posted on March 27, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

Ruby on Rails HTTP Status codes
ruby Ruby on Rails HTTP Status codes

October 4, 2024

Auth, Business rules and HTTP
rails Auth, Business rules and HTTP

March 27, 2024

Software Technology Stacks
webdev Software Technology Stacks

July 5, 2023

A Full-Stack Application
react A Full-Stack Application

September 16, 2021