refactor: [#615] new authorization error for guest users

torrust · Aug 5, 2024 · f38b628 · f38b628
1 parent d8b3ee2
commit f38b628
Show file tree

Hide file tree

Showing 6 changed files with 16 additions and 8 deletions.
diff --git a/src/errors.rs b/src/errors.rs
@@ -111,6 +111,11 @@ pub enum ServiceError {
     #[display(fmt = "Unauthorized action.")]
     UnauthorizedAction,
 
+    #[display(
+        fmt = "Unauthorized actions for guest users. Try logging in to check if you have permission to perform the action"
+    )]
+    UnauthorizedActionForGuests,
+
     #[display(fmt = "This torrent already exists in our database.")]
     InfoHashAlreadyExists,
 
@@ -301,6 +306,7 @@ pub fn http_status_code_for_service_error(error: &ServiceError) -> StatusCode {
         ServiceError::InvalidCategory => StatusCode::BAD_REQUEST,
         ServiceError::InvalidTag => StatusCode::BAD_REQUEST,
         ServiceError::UnauthorizedAction => StatusCode::FORBIDDEN,
+        ServiceError::UnauthorizedActionForGuests => StatusCode::UNAUTHORIZED,
         ServiceError::InfoHashAlreadyExists => StatusCode::BAD_REQUEST,
         ServiceError::CanonicalInfoHashAlreadyExists => StatusCode::CONFLICT,
         ServiceError::OriginalInfoHashAlreadyExists => StatusCode::CONFLICT,

diff --git a/src/services/authorization.rs b/src/services/authorization.rs
@@ -80,11 +80,13 @@ impl Service {
         let enforcer = self.casbin_enforcer.enforcer.read().await;
 
         let authorize = enforcer
-            .enforce((role, action))
+            .enforce((&role, action))
             .map_err(|_| ServiceError::UnauthorizedAction)?;
 
         if authorize {
             Ok(())
+        } else if role == UserRole::Guest {
+            Err(ServiceError::UnauthorizedActionForGuests)
         } else {
             Err(ServiceError::UnauthorizedAction)
         }

diff --git a/tests/e2e/web/api/v1/contexts/category/contract.rs b/tests/e2e/web/api/v1/contexts/category/contract.rs
@@ -61,7 +61,7 @@ async fn it_should_not_allow_adding_a_new_category_to_unauthenticated_users() {
         })
         .await;
 
-    assert_eq!(response.status, 403);
+    assert_eq!(response.status, 401);
 }
 
 #[tokio::test]
@@ -194,5 +194,5 @@ async fn it_should_not_allow_guests_to_delete_categories() {
         })
         .await;
 
-    assert_eq!(response.status, 403);
+    assert_eq!(response.status, 401);
 }
diff --git a/tests/e2e/web/api/v1/contexts/tag/contract.rs b/tests/e2e/web/api/v1/contexts/tag/contract.rs
@@ -63,7 +63,7 @@ async fn it_should_not_allow_adding_a_new_tag_to_unauthenticated_users() {
         })
         .await;
 
-    assert_eq!(response.status, 403);
+    assert_eq!(response.status, 401);
 }
 
 #[tokio::test]
@@ -174,5 +174,5 @@ async fn it_should_not_allow_guests_to_delete_tags() {
 
     let response = client.delete_tag(DeleteTagForm { tag_id }).await;
 
-    assert_eq!(response.status, 403);
+    assert_eq!(response.status, 401);
 }
diff --git a/tests/e2e/web/api/v1/contexts/torrent/contract.rs b/tests/e2e/web/api/v1/contexts/torrent/contract.rs
@@ -442,7 +442,7 @@ mod for_guests {
 
         let response = client.upload_torrent(form.into()).await;
 
-        assert_eq!(response.status, 403);
+        assert_eq!(response.status, 401);
     }
 
     #[tokio::test]
@@ -462,7 +462,7 @@ mod for_guests {
 
         let response = client.delete_torrent(&test_torrent.file_info_hash()).await;
 
-        assert_eq!(response.status, 403);
+        assert_eq!(response.status, 401);
     }
 }
 

diff --git a/tests/e2e/web/api/v1/contexts/user/contract.rs b/tests/e2e/web/api/v1/contexts/user/contract.rs
@@ -231,6 +231,6 @@ mod banned_user_list {
 
         let response = client.ban_user(Username::new(registered_user.username.clone())).await;
 
-        assert_eq!(response.status, 403);
+        assert_eq!(response.status, 401);
     }
 }