I have issue with HTTP code response.
Use case:
User with user try to modify record which is available to edit only for users with moderator privileges (enforced by business logic).
What HTTP status response is expected?
I'm sure that below statuses are wrong.
200 is wrong because action is not success400 seems to be wrong because all request parts are correct (body/headers/method)I consider 401 Unauthorized or 403 Forbidden, but i don't have any argument to apply.
What status would you expect?
I consider
401 Unauthorizedor403 Forbidden, but I don't have any argument to apply.
The 403 status code seems to be suitable for the situation described in your question. However, if the server wants to "hide" the existence of a resource, then 404 can be used instead. See the following quote from the RFC 7231:
The
403(Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload (if any).If authentication credentials were provided in the request, the server considers them insufficient to grant access. The client SHOULD NOT automatically repeat the request with the same credentials. The client MAY repeat the request with new or different credentials. However, a request might be forbidden for reasons unrelated to the credentials.
An origin server that wishes to "hide" the current existence of a forbidden target resource MAY instead respond with a status code of
404(Not Found).
The 401 status code is meant to be used for HTTP authentication (where the credentials are sent in the Authorization header) to indicate that the credentials have been refused for that request.