expect a 403 error on privs edit modal

metabrainz · Jul 4, 2023 · 5d567d5 · 5d567d5
1 parent 9c5864d
commit 5d567d5
Show file tree

Hide file tree

Showing 7 changed files with 11 additions and 10 deletions.
diff --git a/src/client/components/pages/parts/privs-edit-modal.js b/src/client/components/pages/parts/privs-edit-modal.js
@@ -61,8 +61,10 @@ class PrivsEditModal extends React.Component {
 				},
 				method: 'POST'
 			});
-
 			if (!response.ok) {
+				if (response.status === 403) {
+					throw new Error(response.statusText);
+				}
 				const {error} = await response.json();
 				throw new Error(error ?? response.statusText);
 			}

diff --git a/src/common/helpers/error.js b/src/common/helpers/error.js
@@ -138,7 +138,7 @@ export class NotAuthorizedError extends PathError {
 	static detailedMessage(req) {
 		return [
 			`You do not have permission to access the following path:
-			${req.path}`,
+			${req.originalUrl}`,
 			'Please make sure you have the privileges to access the route!'
 		];
 	}

diff --git a/src/server/helpers/auth.js b/src/server/helpers/auth.js
@@ -177,11 +177,10 @@ export function isAuthorized(flag) {
 	return async (req, res, next) => {
 		try {
 			const {Editor} = req.app.locals.orm;
-			const latestPrivs = await Editor.query({where: {id: req.user.id}})
-				.fetch({require: true})
-				.then(editor => editor.get('privs'));
+			const editor = await Editor.query({where: {id: req.user.id}})
+				.fetch({require: true});
 			/* eslint-disable no-bitwise */
-			if (latestPrivs & flag) {
+			if (editor.get('privs') & flag) {
 				return next();
 			}
 			throw new error.NotAuthorizedError(

diff --git a/test/src/server/routes/entity/edition.js b/test/src/server/routes/entity/edition.js
@@ -7,7 +7,7 @@ import chaiHttp from 'chai-http';
 chai.use(chaiHttp);
 const {expect} = chai;
 
-describe('Edition routes', () => {
+describe('Edition routes with entity editing priv', () => {
 	const aBBID = getRandomUUID();
 	const inValidBBID = 'have-you-seen-the-fnords';
 	let agent;

diff --git a/test/src/server/routes/entity/publisher.js b/test/src/server/routes/entity/publisher.js
@@ -8,7 +8,7 @@ import chaiHttp from 'chai-http';
 chai.use(chaiHttp);
 const {expect} = chai;
 
-describe('Publisher routes', () => {
+describe('Publisher routes with entity editing priv', () => {
 	const aBBID = getRandomUUID();
 	const inValidBBID = 'have-you-seen-the-fnords';
 	let agent;

diff --git a/test/src/server/routes/entity/series.js b/test/src/server/routes/entity/series.js
@@ -27,7 +27,7 @@ import chaiHttp from 'chai-http';
 chai.use(chaiHttp);
 const {expect} = chai;
 
-describe('Series routes', () => {
+describe('Series routes with entity editing priv', () => {
 	const aBBID = getRandomUUID();
 	const inValidBBID = 'have-you-seen-the-fnords';
 	let agent;

diff --git a/test/src/server/routes/entity/work.js b/test/src/server/routes/entity/work.js
@@ -8,7 +8,7 @@ import chaiHttp from 'chai-http';
 chai.use(chaiHttp);
 const {expect} = chai;
 
-describe('Work routes', () => {
+describe('Work routes with entity editing priv', () => {
 	const aBBID = getRandomUUID();
 	const inValidBBID = 'have-you-seen-the-fnords';
 	let agent;