HTTP response code when DELETE request is not permitted

Hi there,

If a DELETE request on a resource fails because constraints prevent
the resource from being deleted, what should the correct HTTP response
code be?

There appears to be a lot of contention about this on the web, but I'm
unable to find a 'definitive guide' for the sort of REST API I'm
developing. Perhaps someone could point me in the right direction?

I'm currently of the opinion that 403 Forbidden is the best option,
although 405 Method Not Allowed sounds equally appropriate, or perhaps
even 409 Conflict.

Advice appreciated.


I believe 403 is an authentication header, as in 'your login failed'.
405 means the DELETE method itself isn't allowed. ActiveResource uses
409 for locking conflicts, and 422 for validation errors.

According to rfc 2616, it sounds like 409 would be your best bet:

The request could not be completed due to a conflict with the current
state of the resource. This code is only allowed in situations where
it is expected that the user might be able to resolve the conflict and
resubmit the request.

That sounds better than 422, unprocessable entity:

The request was well-formed but was unable to be followed due to
semantic errors.

There are many ways to interpret that though. I think the key is to
document it well and stick to it.

I agree -- 409 it is.

Thanks Rick.