[Koha-bugs] [Bug 36066] REST API: We should only allow deleting cancelled order lines

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36066

--- Comment #10 from Victor Grousset/tuxayo <victor at tuxayo.net> ---
Another thing that made it slip unnoticed is the return code being the same for
not having the right permission and trying to delete something not in the right
state for deletion.

This is totally out of this ticket: Isn't there any code to differential these
two things? I'm just asking to know if I should open a ticket or if there is
really nothing to do about this and just move on.

https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#4xx_client_errors
- maybe moving permission failure response to 401? nope, 401 is super specific
so out of our case: «The response must include a WWW-Authenticate header field
containing a challenge applicable to the requested resource»
- «403 [...] user not having the necessary permissions for a resource or
needing an account of some sort, or attempting a prohibited action (e.g.
creating a duplicate record where only one is allowed).» Ok it seems that's how
403 was made, grouping lack of permission and prohibited action by business
rules :(

-- 
You are receiving this mail because:
You are watching all bug changes.