I have a restAPI which allows for users to submit data to be saved in my database. When data is submitted their userID will be grabbed from the request header and added to the document
In my collection (mongoDB) there is the normal _id
field and a userID
field, which references the user.
My question is in the scenario that a malicious user submits a PUT or DELETE request to a document that does not belong to them what is the best way to handle it.
I pull the prediction from the DB just using the submitted
_id
, check theuserID
field against the requestinguserID
and issue a 403 response if they do not match.I query the database by both
_id
anduserID
, so it would not be found if the document does not belong to the requesting user. I would then issue a 404 response just as if they had submitted an id that does not exist.
Both choices achieve the same goal, which is to prevent a user from editing or deleting a resource that does not belong to them, but which is "better"?
CodePudding user response:
404 is for "not found", which is clearly not the case.
Use 403.
Quoting from Wikipedia:
HTTP 403 is returned when the client is not permitted access to the resource despite providing authentication ...