From 30a0eff89685b8dd438e08b3a874b6de63d54172 Mon Sep 17 00:00:00 2001 From: Austin McGee <947888+amcgee@users.noreply.github.com> Date: Mon, 30 Sep 2024 10:03:35 +0200 Subject: [PATCH] fix: use 403 for authorization errors --- server/src/routes/v1/apps/handlers/createApp.js | 6 +++--- server/src/routes/v1/apps/handlers/createAppVersion.js | 2 +- server/src/routes/v1/apps/handlers/deleteApp.js | 2 +- server/src/routes/v1/apps/handlers/deleteAppVersion.js | 2 +- server/src/routes/v1/apps/handlers/deleteImage.js | 2 +- server/src/routes/v1/apps/handlers/editApp.js | 2 +- server/src/routes/v1/apps/handlers/editAppVersion.js | 2 +- server/src/routes/v1/apps/handlers/editImage.js | 2 +- server/src/routes/v1/apps/handlers/getAllApps.js | 2 +- server/src/routes/v1/apps/handlers/setApprovalStatus.js | 2 +- server/src/routes/v1/apps/handlers/uploadImageToApp.js | 2 +- server/src/routes/v2/apps.js | 4 ++-- server/src/routes/v2/channels.js | 6 +++--- 13 files changed, 18 insertions(+), 18 deletions(-) diff --git a/server/src/routes/v1/apps/handlers/createApp.js b/server/src/routes/v1/apps/handlers/createApp.js index dd2867535..601eacaed 100644 --- a/server/src/routes/v1/apps/handlers/createApp.js +++ b/server/src/routes/v1/apps/handlers/createApp.js @@ -39,7 +39,7 @@ module.exports = { }, handler: async (request, h) => { if (!canCreateApp(request, h)) { - throw Boom.unauthorized() + throw Boom.forbidden() } const { notificationService } = request.services(true) @@ -75,7 +75,7 @@ module.exports = { db ) if (!isMember && !isManager) { - throw Boom.unauthorized( + throw Boom.forbidden( `You don't have permission to upload apps to that organisation` ) } @@ -106,7 +106,7 @@ module.exports = { isCoreApp = manifest.core_app if (isCoreApp && !isManager) { - throw Boom.unauthorized( + throw Boom.forbidden( `You don't have permission to upload core apps` ) } diff --git a/server/src/routes/v1/apps/handlers/createAppVersion.js b/server/src/routes/v1/apps/handlers/createAppVersion.js index 03c0550e5..3f58d5425 100644 --- a/server/src/routes/v1/apps/handlers/createAppVersion.js +++ b/server/src/routes/v1/apps/handlers/createAppVersion.js @@ -73,7 +73,7 @@ module.exports = { isManager || userApps.map(app => app.app_id).indexOf(appId) !== -1 if (!userCanEditApp) { - throw Boom.unauthorized() + throw Boom.forbidden() } const versionPayload = request.payload.version diff --git a/server/src/routes/v1/apps/handlers/deleteApp.js b/server/src/routes/v1/apps/handlers/deleteApp.js index c8c9324fc..6b8beecee 100644 --- a/server/src/routes/v1/apps/handlers/deleteApp.js +++ b/server/src/routes/v1/apps/handlers/deleteApp.js @@ -29,7 +29,7 @@ module.exports = { debug(`deleteApp : ${request.params.appId}`) if (!canDeleteApp(request, h)) { - throw Boom.unauthorized() + throw Boom.forbidden() } //todo: validate diff --git a/server/src/routes/v1/apps/handlers/deleteAppVersion.js b/server/src/routes/v1/apps/handlers/deleteAppVersion.js index 2a74f3319..e8eb7971b 100644 --- a/server/src/routes/v1/apps/handlers/deleteAppVersion.js +++ b/server/src/routes/v1/apps/handlers/deleteAppVersion.js @@ -59,7 +59,7 @@ module.exports = { throw Boom.internal(err) } } else { - throw Boom.unauthorized() + throw Boom.forbidden() } //What the old v1 api responds with on this endpoint if all works out diff --git a/server/src/routes/v1/apps/handlers/deleteImage.js b/server/src/routes/v1/apps/handlers/deleteImage.js index e2e5203ee..6bde8b3a8 100644 --- a/server/src/routes/v1/apps/handlers/deleteImage.js +++ b/server/src/routes/v1/apps/handlers/deleteImage.js @@ -61,7 +61,7 @@ module.exports = { throw Boom.internal(err) } } else { - throw Boom.unauthorized() + throw Boom.forbidden() } //What the old v1 api responds with on this endpoint if all works out diff --git a/server/src/routes/v1/apps/handlers/editApp.js b/server/src/routes/v1/apps/handlers/editApp.js index 6134fe066..7d6e6a728 100644 --- a/server/src/routes/v1/apps/handlers/editApp.js +++ b/server/src/routes/v1/apps/handlers/editApp.js @@ -84,7 +84,7 @@ module.exports = { throw Boom.internal(err) } } else { - throw Boom.unauthorized() + throw Boom.forbidden() } //What the old v1 api responds with on this endpoint if all works out diff --git a/server/src/routes/v1/apps/handlers/editAppVersion.js b/server/src/routes/v1/apps/handlers/editAppVersion.js index d166a89bf..c9f1c3b3a 100644 --- a/server/src/routes/v1/apps/handlers/editAppVersion.js +++ b/server/src/routes/v1/apps/handlers/editAppVersion.js @@ -88,6 +88,6 @@ module.exports = { } } - throw Boom.unauthorized() + throw Boom.forbidden() }, } diff --git a/server/src/routes/v1/apps/handlers/editImage.js b/server/src/routes/v1/apps/handlers/editImage.js index e954bcf61..335fef2a1 100644 --- a/server/src/routes/v1/apps/handlers/editImage.js +++ b/server/src/routes/v1/apps/handlers/editImage.js @@ -81,7 +81,7 @@ module.exports = { throw Boom.internal(err) } } else { - throw Boom.unauthorized() + throw Boom.forbidden() } //What the old v1 api responds with on this endpoint if all works out diff --git a/server/src/routes/v1/apps/handlers/getAllApps.js b/server/src/routes/v1/apps/handlers/getAllApps.js index eaea93039..0346fddd6 100644 --- a/server/src/routes/v1/apps/handlers/getAllApps.js +++ b/server/src/routes/v1/apps/handlers/getAllApps.js @@ -26,7 +26,7 @@ module.exports = { }, handler: async (request, h) => { if (!canSeeAllApps(request, h)) { - throw Boom.unauthorized() + throw Boom.forbidden() } try { diff --git a/server/src/routes/v1/apps/handlers/setApprovalStatus.js b/server/src/routes/v1/apps/handlers/setApprovalStatus.js index a98533f80..dfc269478 100644 --- a/server/src/routes/v1/apps/handlers/setApprovalStatus.js +++ b/server/src/routes/v1/apps/handlers/setApprovalStatus.js @@ -23,7 +23,7 @@ module.exports = { //request.logger.info('In handler %s', request.path) if (!canChangeAppStatus(request, h)) { - throw Boom.unauthorized() + throw Boom.forbidden() } const { status } = request.query diff --git a/server/src/routes/v1/apps/handlers/uploadImageToApp.js b/server/src/routes/v1/apps/handlers/uploadImageToApp.js index b27e37911..b37403cfc 100644 --- a/server/src/routes/v1/apps/handlers/uploadImageToApp.js +++ b/server/src/routes/v1/apps/handlers/uploadImageToApp.js @@ -55,7 +55,7 @@ module.exports = { if (!canUploadMedia) { return h .response({ message: `You don't have access to edit that app` }) - .code(401) + .code(403) } const imageFile = request.payload.file diff --git a/server/src/routes/v2/apps.js b/server/src/routes/v2/apps.js index b9ab230d9..dca209460 100644 --- a/server/src/routes/v2/apps.js +++ b/server/src/routes/v2/apps.js @@ -104,7 +104,7 @@ module.exports = [ }, handler: async (request, h) => { if (!canCreateApp(request, h)) { - throw Boom.unauthorized() + throw Boom.forbidden() } const { db } = h.context @@ -139,7 +139,7 @@ module.exports = [ db ) if (!isMember && !isManager) { - throw Boom.unauthorized( + throw Boom.forbidden( `You don't have permission to upload apps to that organisation` ) } diff --git a/server/src/routes/v2/channels.js b/server/src/routes/v2/channels.js index efb71bc17..d24672049 100644 --- a/server/src/routes/v2/channels.js +++ b/server/src/routes/v2/channels.js @@ -35,7 +35,7 @@ module.exports = [ request.logger.info('In handler %s', request.path) if (!currentUserIsManager(request)) { - throw Boom.unauthorized() + throw Boom.forbidden() } const { name } = request.payload @@ -79,7 +79,7 @@ module.exports = [ console.log(request.auth) if (!currentUserIsManager(request)) { - throw Boom.unauthorized() + throw Boom.forbidden() } const { name } = request.payload @@ -146,7 +146,7 @@ module.exports = [ if (!currentUserIsManager(request)) { debug('unauthorized') - throw Boom.unauthorized() + throw Boom.forbidden() } const { uuid } = request.params