This is an spin-off of #2943176-13: Spec Compliance: when error object 'id' key exists, it contains the individual resource URI, instead of "a unique identifier for this particular occurrence of the problem".

In order to provide more useful errors when access is denied to a resource, we would like to be able to have a source.pointer key in the error object which references the resource identifier for the restricted resource.

That would look something like this:

{
  "data": [
    {"type": "node--accessible", "uuid": "some-random-uuid", "attributes": {...}, "relationships": {...}},
    {"type": "node--inaccessible", "uuid": "some-random-uuid"}
  ],
  "meta": {
    "errors": [
      {
        "status": 403,
        "title": "Access Denied",
        "source": {
          "pointer": "/data/1"
        }
      }
    ]
  }
}

This will also improve DX with regard to pagination because responses will no longer contain fewer items than the page limit, even when sufficient resources exist to "fill" the page.

To do this, we must stop omitting restricted resources entirely and include only a resource identifier.

Comments

gabesullice created an issue. See original summary.

gabesullice’s picture

gabesullice
Primary language English
commented
Issue summary: View changes
wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented

/me follows along eagerly.

e0ipso’s picture

e0ipso
Primary language Catalan
Location Can Picafort
commented

Do we want the pointer to be https://example.org/jsonapi/node/article/1235-123s#/data/id. That is what got lost in the other ticket and it's compliant with the JSON Pointer spec.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
  1. In which issue did that get lost?
  2. Absolute JSON Pointer URLs only make sense when pointing to errors for existing resources; they don't make sense when pointing to errors for modifying resources (POSTing or PATCHing).
gabesullice’s picture

gabesullice
Primary language English
commented
Status: Active » Closed (duplicate)

I'm actually closing this as a duplicate, per #2943176-21: Spec Compliance: when error object 'id' key exists, it contains the individual resource URI, instead of "a unique identifier for this particular occurrence of the problem". This issue was never meant to cover pointers, it was only meant to:

stop omitting restricted resources entirely and include only a resource identifier.

After that, I assumed it would be trivial to add better error pointers to those resource identifiers and that that patch could live on the original issue. I've since learned that it's not so easy to separate these things.