Skip to content

Disambiguate 401 and 403 when accessing /projects #719

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
fspeirs merged 2 commits into from
Mar 10, 2026
Merged

Disambiguate 401 and 403 when accessing /projects #719

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bc0ae99
Disambiguate 401 and 403 when accessing /projects
fspeirs Mar 9, 2026
5377296
Update project Show spec for unauthorised
fspeirs Mar 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions app/controllers/api_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,12 @@ def authorize_user
render json: { error: 'Unauthorized' }, status: :unauthorized unless current_user
end

def denied(exception)
render_error_as_json(exception, :forbidden)
def denied(_exception)
if current_user
render json: { error: 'Forbidden' }, status: :forbidden
else
render json: { error: 'Unauthorized' }, status: :unauthorized
end
end

def not_found(exception)
Expand Down
38 changes: 30 additions & 8 deletions spec/requests/api_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,18 +76,40 @@ def index
test_controller.error = CanCan::AccessDenied.new('foo')
end

it 'responds with 403 Forbidden status code' do
get '/test'
context 'when current_user is not set' do
it 'responds with 401 Unauthorized status code' do
get '/test'

expect(response).to have_http_status(:unauthorized)
end

it 'responds with JSON including error message' do
get '/test'

expect(response).to have_http_status(:forbidden)
expect(response.parsed_body).to include(
'error' => 'Unauthorized'
)
end
end

it 'responds with JSON including exception class & message' do
get '/test'
context 'when current_user is set' do
before do
allow(User).to receive(:from_token).and_return(User.new)
end

expect(response.parsed_body).to include(
'error' => 'CanCan::AccessDenied: foo'
)
it 'responds with 403 Forbidden status code' do
get '/test', headers: { 'Authorization' => 'secret' }

expect(response).to have_http_status(:forbidden)
end

it 'responds with JSON including error message' do
get '/test', headers: { 'Authorization' => 'secret' }

expect(response.parsed_body).to include(
'error' => 'Forbidden'
)
end
end
end

Expand Down
4 changes: 2 additions & 2 deletions spec/requests/projects/show_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -254,10 +254,10 @@
}.to_json
end

it 'returns forbidden response' do
it 'returns unauthorized response' do
get("/api/projects/#{project.identifier}", headers:)

expect(response).to have_http_status(:forbidden)
expect(response).to have_http_status(:unauthorized)
end

it 'does not return the project json' do
Expand Down