Return Forbidden when operation is inaccessible, to match resource endpoint status code

Author: bkoelman

Diff for: src/JsonApiDotNetCore/Controllers/BaseJsonApiOperationsController.cs

@@ -140,7 +140,7 @@ protected virtual void ValidateEnabledOperations(IList<OperationContainer> opera
             {
                 string operationCode = GetOperationCodeText(operationKind);
 
-                errors.Add(new ErrorObject(HttpStatusCode.UnprocessableEntity)
+                errors.Add(new ErrorObject(HttpStatusCode.Forbidden)
                 {
                     Title = "The requested operation is not accessible.",
                     Detail = $"The '{operationCode}' relationship operation is not accessible for relationship '{operationRequest.Relationship}' " +
@@ -155,7 +155,7 @@ protected virtual void ValidateEnabledOperations(IList<OperationContainer> opera
             {
                 string operationCode = GetOperationCodeText(operationKind);
 
-                errors.Add(new ErrorObject(HttpStatusCode.UnprocessableEntity)
+                errors.Add(new ErrorObject(HttpStatusCode.Forbidden)
                 {
                     Title = "The requested operation is not accessible.",
                     Detail = $"The '{operationCode}' resource operation is not accessible for resource type '{operationRequest.PrimaryResourceType}'.",

Diff for: test/JsonApiDotNetCoreTests/IntegrationTests/AtomicOperations/Controllers/AtomicCustomConstrainedOperationsControllerTests.cs

@@ -69,7 +69,7 @@ public async Task Can_create_resources_for_matching_resource_type()
     }
 
     [Fact]
-    public async Task Cannot_create_resource_for_mismatching_resource_type()
+    public async Task Cannot_create_resource_for_inaccessible_operation()
     {
         // Arrange
         var requestBody = new
@@ -96,20 +96,20 @@ public async Task Cannot_create_resource_for_mismatching_resource_type()
         (HttpResponseMessage httpResponse, Document responseDocument) = await _testContext.ExecutePostAtomicAsync<Document>(route, requestBody);
 
         // Assert
-        httpResponse.ShouldHaveStatusCode(HttpStatusCode.UnprocessableEntity);
+        httpResponse.ShouldHaveStatusCode(HttpStatusCode.Forbidden);
 
         responseDocument.Errors.ShouldHaveCount(1);
 
         ErrorObject error = responseDocument.Errors[0];
-        error.StatusCode.Should().Be(HttpStatusCode.UnprocessableEntity);
+        error.StatusCode.Should().Be(HttpStatusCode.Forbidden);
         error.Title.Should().Be("The requested operation is not accessible.");
         error.Detail.Should().Be("The 'add' resource operation is not accessible for resource type 'performers'.");
         error.Source.ShouldNotBeNull();
         error.Source.Pointer.Should().Be("/atomic:operations[0]");
     }
 
     [Fact]
-    public async Task Cannot_update_resource_for_matching_resource_type()
+    public async Task Cannot_update_resource_for_inaccessible_operation()
     {
         // Arrange
         MusicTrack existingTrack = _fakers.MusicTrack.Generate();
@@ -145,20 +145,20 @@ await _testContext.RunOnDatabaseAsync(async dbContext =>
         (HttpResponseMessage httpResponse, Document responseDocument) = await _testContext.ExecutePostAtomicAsync<Document>(route, requestBody);
 
         // Assert
-        httpResponse.ShouldHaveStatusCode(HttpStatusCode.UnprocessableEntity);
+        httpResponse.ShouldHaveStatusCode(HttpStatusCode.Forbidden);
 
         responseDocument.Errors.ShouldHaveCount(1);
 
         ErrorObject error = responseDocument.Errors[0];
-        error.StatusCode.Should().Be(HttpStatusCode.UnprocessableEntity);
+        error.StatusCode.Should().Be(HttpStatusCode.Forbidden);
         error.Title.Should().Be("The requested operation is not accessible.");
         error.Detail.Should().Be("The 'update' resource operation is not accessible for resource type 'musicTracks'.");
         error.Source.ShouldNotBeNull();
         error.Source.Pointer.Should().Be("/atomic:operations[0]");
     }
 
     [Fact]
-    public async Task Cannot_add_to_ToMany_relationship_for_matching_resource_type()
+    public async Task Cannot_add_to_ToMany_relationship_for_inaccessible_operation()
     {
         // Arrange
         MusicTrack existingTrack = _fakers.MusicTrack.Generate();
@@ -201,12 +201,12 @@ await _testContext.RunOnDatabaseAsync(async dbContext =>
         (HttpResponseMessage httpResponse, Document responseDocument) = await _testContext.ExecutePostAtomicAsync<Document>(route, requestBody);
 
         // Assert
-        httpResponse.ShouldHaveStatusCode(HttpStatusCode.UnprocessableEntity);
+        httpResponse.ShouldHaveStatusCode(HttpStatusCode.Forbidden);
 
         responseDocument.Errors.ShouldHaveCount(1);
 
         ErrorObject error = responseDocument.Errors[0];
-        error.StatusCode.Should().Be(HttpStatusCode.UnprocessableEntity);
+        error.StatusCode.Should().Be(HttpStatusCode.Forbidden);
         error.Title.Should().Be("The requested operation is not accessible.");
         error.Detail.Should().Be("The 'add' relationship operation is not accessible for relationship 'performers' on resource type 'musicTracks'.");
         error.Source.ShouldNotBeNull();

Diff for: test/JsonApiDotNetCoreTests/IntegrationTests/AtomicOperations/Controllers/AtomicDefaultConstrainedOperationsControllerTests.cs

@@ -20,7 +20,7 @@ public AtomicDefaultConstrainedOperationsControllerTests(IntegrationTestContext<
     }
 
     [Fact]
-    public async Task Cannot_delete_resource_for_disabled_resource_endpoint()
+    public async Task Cannot_delete_resource_for_inaccessible_operation()
     {
         // Arrange
         TextLanguage existingLanguage = _fakers.TextLanguage.Generate();
@@ -53,20 +53,20 @@ await _testContext.RunOnDatabaseAsync(async dbContext =>
         (HttpResponseMessage httpResponse, Document responseDocument) = await _testContext.ExecutePostAtomicAsync<Document>(route, requestBody);
 
         // Assert
-        httpResponse.ShouldHaveStatusCode(HttpStatusCode.UnprocessableEntity);
+        httpResponse.ShouldHaveStatusCode(HttpStatusCode.Forbidden);
 
         responseDocument.Errors.ShouldHaveCount(1);
 
         ErrorObject error = responseDocument.Errors[0];
-        error.StatusCode.Should().Be(HttpStatusCode.UnprocessableEntity);
+        error.StatusCode.Should().Be(HttpStatusCode.Forbidden);
         error.Title.Should().Be("The requested operation is not accessible.");
         error.Detail.Should().Be("The 'remove' resource operation is not accessible for resource type 'textLanguages'.");
         error.Source.ShouldNotBeNull();
         error.Source.Pointer.Should().Be("/atomic:operations[0]");
     }
 
     [Fact]
-    public async Task Cannot_change_ToMany_relationship_for_disabled_resource_endpoints()
+    public async Task Cannot_change_ToMany_relationship_for_inaccessible_operations()
     {
         // Arrange
         TextLanguage existingLanguage = _fakers.TextLanguage.Generate();
@@ -145,26 +145,26 @@ await _testContext.RunOnDatabaseAsync(async dbContext =>
         (HttpResponseMessage httpResponse, Document responseDocument) = await _testContext.ExecutePostAtomicAsync<Document>(route, requestBody);
 
         // Assert
-        httpResponse.ShouldHaveStatusCode(HttpStatusCode.UnprocessableEntity);
+        httpResponse.ShouldHaveStatusCode(HttpStatusCode.Forbidden);
 
         responseDocument.Errors.ShouldHaveCount(3);
 
         ErrorObject error1 = responseDocument.Errors[0];
-        error1.StatusCode.Should().Be(HttpStatusCode.UnprocessableEntity);
+        error1.StatusCode.Should().Be(HttpStatusCode.Forbidden);
         error1.Title.Should().Be("The requested operation is not accessible.");
         error1.Detail.Should().Be("The 'update' relationship operation is not accessible for relationship 'lyrics' on resource type 'textLanguages'.");
         error1.Source.ShouldNotBeNull();
         error1.Source.Pointer.Should().Be("/atomic:operations[0]");
 
         ErrorObject error2 = responseDocument.Errors[1];
-        error2.StatusCode.Should().Be(HttpStatusCode.UnprocessableEntity);
+        error2.StatusCode.Should().Be(HttpStatusCode.Forbidden);
         error2.Title.Should().Be("The requested operation is not accessible.");
         error2.Detail.Should().Be("The 'add' relationship operation is not accessible for relationship 'lyrics' on resource type 'textLanguages'.");
         error2.Source.ShouldNotBeNull();
         error2.Source.Pointer.Should().Be("/atomic:operations[1]");
 
         ErrorObject error3 = responseDocument.Errors[2];
-        error3.StatusCode.Should().Be(HttpStatusCode.UnprocessableEntity);
+        error3.StatusCode.Should().Be(HttpStatusCode.Forbidden);
         error3.Title.Should().Be("The requested operation is not accessible.");
         error3.Detail.Should().Be("The 'remove' relationship operation is not accessible for relationship 'lyrics' on resource type 'textLanguages'.");
         error3.Source.ShouldNotBeNull();