Limit exceeded sounds like 403: Forbidden.
“403 Forbidden
The server understood the request, but is refusing to fulfill it.
Authorization will not help and the request SHOULD NOT be repeated.
If the request method was not HEAD and the server wishes to make
public why the request has not been fulfilled, it SHOULD describe the
reason for the refusal in the entity. If the server does not wish to
make this information available to the client, the status code 404
(Not Found) can be used instead.”
409 may be more appropriate as the user can resolve the conflict and resubmit the request by removing some of their ‘stuff’.
I could see arguing for both of these. The interesting part is the entity body that describes why the 403/409 was returned.
Scott Seely |
architect |
email sse...@myspace.com |
Sub codes are used fairly extensively in the IIS/ASP.NET ecosystem and it all seems to work quite well. I have no idea how well the rest of the world handles this.
Cassie,
This list looks correct. Can you put up the proposed wording change so that we can have an informed vote on this?
Thanks!
I think that we need to provide additional behavior MUSTs when returning some of these codes. Here is a proposal for the DL to beat up. The text reflects what I think we will have to implement to have some consistency in these status codes across OpenSocial sites.
OpenSocial application servers MUST return 400 BAD REQUEST under any one or more of the following conditions:
· Invalid request URI
· Invalid HTTP Header
· Receiving an unsupported, nonstandard parameter
· Receiving an invalid HTTP Message Body
OpenSocial container servers MUST return 401 UNAUTHORIZED when receiving a request for a protected resource and the request is either
· Missing OAuth authorization credentials as described in OAuth Consumer Request 1.0, http://oauth.googlecode.com/svn/spec/ext/consumer_request/1.0/drafts/1/spec.html.
· OAuth authorization credentials are present, but the user identity is not authorized to access the protected resource.
If the request already included authorization credentials, the 401 response indicates that the request has been refused for those credentials. A 401 response MUST include a WWW-Authenticate header field indicating the request MAY present an OAuth token for the container server’s realm. Example:
WWW-Authenticate: OAuth realm="http://sp.example.com/"
[Editor’s note: RFC 2616 indicates that a 401 MUST include a WWW-Authenticate header field. OAuth 1.0, section 5.4.2 indicates that the WWW-Authenticate header with OAuth as a challenge is optional. With OAuth being required, we need to require this response in order to stay in line with RFC 2616 and HTTP Status Code 401.]
The server understood the request but is refusing to fulfill it. Authorization will not help. The current authorization context does not allow the request.
The server has not found a resource (such as a feed or entry) that matches the request URI.
The method specified in the Request-Line is not allowed for the resource identified by the Request-URI. The response MUST include an Allow header containing a list of valid methods for the requested resource.
[Editor’s note: I am not inventing new requirements here. RFC 2616 indicates that a 405 MUST include an Allow header field. Actually, the above text is verbatim from RFC 2616.]
The request could not be completed due to a conflict with the current state of the resource. This code is only allowed in situations where it is expected that the user might be able to resolve the conflict and resubmit the request. The response body SHOULD include enough information for the user to recognize the source of the conflict. Ideally, the response entity would include enough information for the user or user agent to fix the problem; however, that might not be possible and is not required.
Conflicts are most likely to occur in response to a PUT request. For example, this code can be used for a limit exceeded error as well as conflicting updates. See the error message for more information.
[Editor’s note: I am not inventing new requirements here. The above text is mostly verbatim from RFC 2616.]
Internal error. This is the default code that is used for all unrecognized errors.
The request was valid but has not been implemented by the provider. A container SHOULD return 501 NOT IMPLEMENTED when receiving a request for an OPTIONAL/MAY feature that the container does not implement.
+1 (naturally)
+1