refactor(handler): return domain error for forbidden instead of echo.HTTPError

Keeps the Do* helpers framework-neutral so non-Echo callers (upcoming
Huma /v2 handlers) don't need a translation shim.

Addresses review feedback on #2670.
This commit is contained in:
kolaente 2026-04-21 11:15:55 +02:00 committed by kolaente
parent 939381fb12
commit 2fc6f033f2
2 changed files with 59 additions and 7 deletions

View File

@ -18,14 +18,11 @@ package handler
import (
"context"
"net/http"
"code.vikunja.io/api/pkg/db"
"code.vikunja.io/api/pkg/events"
"code.vikunja.io/api/pkg/log"
"code.vikunja.io/api/pkg/web"
"github.com/labstack/echo/v5"
)
// DoCreate runs the permission check + model Create + commit pipeline for a
@ -49,7 +46,7 @@ func DoCreate(_ context.Context, obj CObject, a web.Auth) error {
_ = s.Rollback()
events.CleanupPending(s)
log.Warningf("Tried to create while not having the permissions for it (User: %v)", a)
return echo.NewHTTPError(http.StatusForbidden, "Forbidden")
return ErrGenericForbidden{}
}
if err := obj.Create(s, a); err != nil {
@ -89,7 +86,7 @@ func DoReadOne(_ context.Context, obj CObject, a web.Auth) (maxPermission int, e
_ = s.Rollback()
events.CleanupPending(s)
log.Warningf("Tried to read while not having the permissions for it (User: %v)", a)
return 0, echo.NewHTTPError(http.StatusForbidden, "You don't have the permission to see this")
return 0, ErrGenericForbidden{Message: "You don't have the permission to see this"}
}
if err := obj.ReadOne(s, a); err != nil {
@ -156,7 +153,7 @@ func DoUpdate(_ context.Context, obj CObject, a web.Auth) error {
_ = s.Rollback()
events.CleanupPending(s)
log.Warningf("Tried to update while not having the permissions for it (User: %v)", a)
return echo.NewHTTPError(http.StatusForbidden, "Forbidden")
return ErrGenericForbidden{}
}
if err := obj.Update(s, a); err != nil {
@ -195,7 +192,7 @@ func DoDelete(_ context.Context, obj CObject, a web.Auth) error {
_ = s.Rollback()
events.CleanupPending(s)
log.Warningf("Tried to delete while not having the permissions for it (User: %v)", a)
return echo.NewHTTPError(http.StatusForbidden, "Forbidden")
return ErrGenericForbidden{}
}
if err := obj.Delete(s, a); err != nil {

55
pkg/web/handler/error.go Normal file
View File

@ -0,0 +1,55 @@
// Vikunja is a to-do list application to facilitate your life.
// Copyright 2018-present Vikunja and contributors. All rights reserved.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
package handler
import (
"net/http"
"code.vikunja.io/api/pkg/web"
)
// ErrGenericForbidden indicates the authenticated caller lacks permission
// to perform the requested operation. It is framework-neutral: it implements
// web.HTTPErrorProcessor so any HTTP framework (Echo today, Huma in the
// upcoming /v2 migration) can translate it to the correct response via the
// central error handler.
//
// An optional Message overrides the default "Forbidden" text; this preserves
// the legacy per-site wording on sites like DoReadOne.
type ErrGenericForbidden struct {
// Message overrides the default "Forbidden" text when non-empty.
Message string
}
// Error implements the error interface.
func (e ErrGenericForbidden) Error() string {
if e.Message != "" {
return e.Message
}
return "Forbidden"
}
// HTTPError implements web.HTTPErrorProcessor so the central error handler
// can translate the error to an HTTP 403 response regardless of which
// framework surfaces it.
func (e ErrGenericForbidden) HTTPError() web.HTTPError {
msg := e.Message
if msg == "" {
msg = "Forbidden"
}
return web.HTTPError{HTTPCode: http.StatusForbidden, Message: msg}
}