diff --git a/src/errors.rs b/src/errors.rs index e1082e8c..276d9a8d 100644 --- a/src/errors.rs +++ b/src/errors.rs @@ -111,6 +111,11 @@ pub enum ServiceError { #[display(fmt = "Unauthorized action.")] UnauthorizedAction, + #[display( + fmt = "Unauthorized actions for guest users. Try logging in to check if you have permission to perform the action" + )] + UnauthorizedActionForGuests, + #[display(fmt = "This torrent already exists in our database.")] InfoHashAlreadyExists, @@ -301,6 +306,7 @@ pub fn http_status_code_for_service_error(error: &ServiceError) -> StatusCode { ServiceError::InvalidCategory => StatusCode::BAD_REQUEST, ServiceError::InvalidTag => StatusCode::BAD_REQUEST, ServiceError::UnauthorizedAction => StatusCode::FORBIDDEN, + ServiceError::UnauthorizedActionForGuests => StatusCode::UNAUTHORIZED, ServiceError::InfoHashAlreadyExists => StatusCode::BAD_REQUEST, ServiceError::CanonicalInfoHashAlreadyExists => StatusCode::CONFLICT, ServiceError::OriginalInfoHashAlreadyExists => StatusCode::CONFLICT, diff --git a/src/services/authorization.rs b/src/services/authorization.rs index fca7da07..51d2a0d7 100644 --- a/src/services/authorization.rs +++ b/src/services/authorization.rs @@ -80,11 +80,13 @@ impl Service { let enforcer = self.casbin_enforcer.enforcer.read().await; let authorize = enforcer - .enforce((role, action)) + .enforce((&role, action)) .map_err(|_| ServiceError::UnauthorizedAction)?; if authorize { Ok(()) + } else if role == UserRole::Guest { + Err(ServiceError::UnauthorizedActionForGuests) } else { Err(ServiceError::UnauthorizedAction) } diff --git a/tests/e2e/web/api/v1/contexts/category/contract.rs b/tests/e2e/web/api/v1/contexts/category/contract.rs index c8ce33df..b4775bd2 100644 --- a/tests/e2e/web/api/v1/contexts/category/contract.rs +++ b/tests/e2e/web/api/v1/contexts/category/contract.rs @@ -61,7 +61,7 @@ async fn it_should_not_allow_adding_a_new_category_to_unauthenticated_users() { }) .await; - assert_eq!(response.status, 403); + assert_eq!(response.status, 401); } #[tokio::test] @@ -194,5 +194,5 @@ async fn it_should_not_allow_guests_to_delete_categories() { }) .await; - assert_eq!(response.status, 403); + assert_eq!(response.status, 401); } diff --git a/tests/e2e/web/api/v1/contexts/tag/contract.rs b/tests/e2e/web/api/v1/contexts/tag/contract.rs index 42f42bd8..77771d49 100644 --- a/tests/e2e/web/api/v1/contexts/tag/contract.rs +++ b/tests/e2e/web/api/v1/contexts/tag/contract.rs @@ -63,7 +63,7 @@ async fn it_should_not_allow_adding_a_new_tag_to_unauthenticated_users() { }) .await; - assert_eq!(response.status, 403); + assert_eq!(response.status, 401); } #[tokio::test] @@ -174,5 +174,5 @@ async fn it_should_not_allow_guests_to_delete_tags() { let response = client.delete_tag(DeleteTagForm { tag_id }).await; - assert_eq!(response.status, 403); + assert_eq!(response.status, 401); } diff --git a/tests/e2e/web/api/v1/contexts/torrent/contract.rs b/tests/e2e/web/api/v1/contexts/torrent/contract.rs index fed3d3ed..ed3b4f33 100644 --- a/tests/e2e/web/api/v1/contexts/torrent/contract.rs +++ b/tests/e2e/web/api/v1/contexts/torrent/contract.rs @@ -442,7 +442,7 @@ mod for_guests { let response = client.upload_torrent(form.into()).await; - assert_eq!(response.status, 403); + assert_eq!(response.status, 401); } #[tokio::test] @@ -462,7 +462,7 @@ mod for_guests { let response = client.delete_torrent(&test_torrent.file_info_hash()).await; - assert_eq!(response.status, 403); + assert_eq!(response.status, 401); } } diff --git a/tests/e2e/web/api/v1/contexts/user/contract.rs b/tests/e2e/web/api/v1/contexts/user/contract.rs index e83e796b..3124fc28 100644 --- a/tests/e2e/web/api/v1/contexts/user/contract.rs +++ b/tests/e2e/web/api/v1/contexts/user/contract.rs @@ -231,6 +231,6 @@ mod banned_user_list { let response = client.ban_user(Username::new(registered_user.username.clone())).await; - assert_eq!(response.status, 403); + assert_eq!(response.status, 401); } }