I am trying to make my API follow the JSON:API spec very strictly, but I’m a little confused on sections 7.3.1 and 7.3.2.
A server MUST respond to
DELETErequests to a URL from a to-many relationship link as described below.
If a client makes a
PATCHrequest to a URL from a to-many relationship link, the server MUST either completely replace every member of the relationship, return an appropriate error response if some resources can not be found or accessed, or return a
403 Forbiddenresponse if complete replacement is not allowed by the server.
Does this mean that I cannot have “read-only” relationship routes?
For example if I only want to have this route for the “comments” relationship:
My server would fail rule 7.3.2 because it does NOT respond to POST, PATCH, or DELETE requests as the rule describes. It would respond with a 404.
Do I need to have the routes available, and return
403 Forbidden instead?