What https status code to use when user has access to url but not to query parameters?

Good day,

What http status code should be used when the requester has access to that url but had improper query parameters.

Let's say something like this:

As user 100, I can access http://example.com/bankaccount/get?id=100

However, I should not be able to see the bank account of another user, let's say via http://example.com/bankaccou开发者_如何学运维nt/get?id=200 .

Which HTTP Status code should be used?

If the access is forbidden, return 403:

The server understood the request, but is refusing to fulfill it. […] If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.

But I don’t see the point of explicitly specifying the ID anyway as you already now the user’s ID. So /bankaccount/get should suffice in this case.

In your example I would either send a 302, redirecting him to an error page, or a 200 with a custom error page right there. This will be the most user friendly version.

Edit: If you want to opt for something in the 4xx area of status codes, make sure the webserver supplies an appropriate error page. The average user will not be happy to see a white screen with "403 - Forbidden". 403 with a custom error page is a good solution to this problem.

I vote for 403 - Forbidden, since it's a legitimate request, but not allowed for the current user.

If the query parameter names were wrong, on the other hand, it should probably be 404.