fix: implement require admin differently than unauthorized

windmill-labs · Nov 2, 2022 · 14c296d · 14c296d
1 parent b830dff
commit 14c296d
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 4 deletions.
diff --git a/backend/windmill-common/src/error.rs b/backend/windmill-common/src/error.rs
@@ -35,6 +35,8 @@ pub enum Error {
     NotFound(String),
     #[error("Not authorized: {0}")]
     NotAuthorized(String),
+    #[error("Require Admin privileges for {0}")]
+    RequireAdmin(String),
     #[error("{0}")]
     ExecutionErr(String),
     #[error("IO error: {0}")]
@@ -77,6 +79,7 @@ impl IntoResponse for Error {
         let status = match self {
             Self::NotFound(_) => axum::http::StatusCode::NOT_FOUND,
             Self::NotAuthorized(_) => axum::http::StatusCode::UNAUTHORIZED,
+            Self::RequireAdmin(_) => axum::http::StatusCode::FORBIDDEN,
             Self::SqlErr(_) | Self::BadRequest(_) => axum::http::StatusCode::BAD_REQUEST,
             _ => axum::http::StatusCode::INTERNAL_SERVER_ERROR,
         };

diff --git a/backend/windmill-common/src/utils.rs b/backend/windmill-common/src/utils.rs
@@ -34,10 +34,7 @@ impl StripPath {
 
 pub fn require_admin(is_admin: bool, username: &str) -> Result<()> {
     if !is_admin {
-        Err(Error::NotAuthorized(format!(
-            "This endpoint require caller {} to be an admin",
-            username
-        )))
+        Err(Error::RequireAdmin(username.to_string()))
     } else {
         Ok(())
     }

diff --git a/frontend/src/routes/__layout-root@none.svelte b/frontend/src/routes/__layout-root@none.svelte
@@ -75,6 +75,9 @@
 					if (pathName != '/user/login') {
 						logoutWithRedirect(pathName + $page.url.search)
 					}
+				}
+				if (status == '403') {
+					sendUserToast('An endpoint required a privilege which you do not have', true)
 				} else {
 					if (body) {
 						sendUserToast(`${body}`, true)