POST /api/teams
{
"name": "",
"leagueId": 1
}
Rules:
Let's say the authenticated user doesn't have access to leagueId because the user is not the the owner, is it better to return a 403 response (note that the rule for the name field is also not satisfied)? Or its better to return 422 status code and this payload:
{
"errors": [
{
"field": "name",
"message": "Name is required."
},
{
"field": "leagueId",
"message": "User is not the owner of the league."
}
],
"message": "Validation Failed"
}
I would return a 400 bad request
when a required field is not present as the request did not satisfy the implicit contract.
And I would return 403 Forbidden
in the case the authenticated user is not the owner of the league, as it indicates that the user is not allowed to do this because of who he/she is.