Say I have a website that allows anyone to log in through oauth or similar, but only allows certain uses to create or modify content. Should they somehow make a request for page for creating a new post, I’ll do a check and redirect them if they don’t have the appropriate permissions.
It is considered acceptable to redirect to the “403 Error” page in this situation? There was no actual HTTP response with a 403 status code, there was no database- or server- level query that was failed – just my business logic. Am I misappropriating the idea of HTTP status codes if I serve an error 403 page with a specific explanatory message?
You are free to do so, but I think if you want to expose an API you would use an actual 403 response because they carry meaning that will be nicely handled by the client.
If you want to display a page to the client and will be using redirect, you will lose this meaning of the “403”.
Isn’t it better to just redirect them to an explanation page without including the “403” code. Or better yet, redirect them to a more helpful place, like the sign up page if that is what they have to do to make a post, or back to the original page with a floating message.
We want to help the user get closer to their goals instead of confusing them with technical error codes.