If a DELETE request on a resource fails because constraints prevent
the resource from being deleted, what should the correct HTTP response
code be?
There appears to be a lot of contention about this on the web, but I'm
unable to find a 'definitive guide' for the sort of REST API I'm
developing. Perhaps someone could point me in the right direction?
I'm currently of the opinion that 403 Forbidden is the best option,
although 405 Method Not Allowed sounds equally appropriate, or perhaps
even 409 Conflict.
I believe 403 is an authentication header, as in 'your login failed'.
405 means the DELETE method itself isn't allowed. ActiveResource uses
409 for locking conflicts, and 422 for validation errors.
According to rfc 2616, it sounds like 409 would be your best bet:
The request could not be completed due to a conflict with the current
state of the resource. This code is only allowed in situations where
it is expected that the user might be able to resolve the conflict and
resubmit the request.