diff --git a/pkg/web/handler/core.go b/pkg/web/handler/core.go index 1499ea673..01474b874 100644 --- a/pkg/web/handler/core.go +++ b/pkg/web/handler/core.go @@ -18,14 +18,11 @@ package handler import ( "context" - "net/http" "code.vikunja.io/api/pkg/db" "code.vikunja.io/api/pkg/events" "code.vikunja.io/api/pkg/log" "code.vikunja.io/api/pkg/web" - - "github.com/labstack/echo/v5" ) // DoCreate runs the permission check + model Create + commit pipeline for a @@ -49,7 +46,7 @@ func DoCreate(_ context.Context, obj CObject, a web.Auth) error { _ = s.Rollback() events.CleanupPending(s) log.Warningf("Tried to create while not having the permissions for it (User: %v)", a) - return echo.NewHTTPError(http.StatusForbidden, "Forbidden") + return ErrGenericForbidden{} } if err := obj.Create(s, a); err != nil { @@ -89,7 +86,7 @@ func DoReadOne(_ context.Context, obj CObject, a web.Auth) (maxPermission int, e _ = s.Rollback() events.CleanupPending(s) log.Warningf("Tried to read while not having the permissions for it (User: %v)", a) - return 0, echo.NewHTTPError(http.StatusForbidden, "You don't have the permission to see this") + return 0, ErrGenericForbidden{Message: "You don't have the permission to see this"} } if err := obj.ReadOne(s, a); err != nil { @@ -156,7 +153,7 @@ func DoUpdate(_ context.Context, obj CObject, a web.Auth) error { _ = s.Rollback() events.CleanupPending(s) log.Warningf("Tried to update while not having the permissions for it (User: %v)", a) - return echo.NewHTTPError(http.StatusForbidden, "Forbidden") + return ErrGenericForbidden{} } if err := obj.Update(s, a); err != nil { @@ -195,7 +192,7 @@ func DoDelete(_ context.Context, obj CObject, a web.Auth) error { _ = s.Rollback() events.CleanupPending(s) log.Warningf("Tried to delete while not having the permissions for it (User: %v)", a) - return echo.NewHTTPError(http.StatusForbidden, "Forbidden") + return ErrGenericForbidden{} } if err := obj.Delete(s, a); err != nil { diff --git a/pkg/web/handler/error.go b/pkg/web/handler/error.go new file mode 100644 index 000000000..3f9f5d05a --- /dev/null +++ b/pkg/web/handler/error.go @@ -0,0 +1,55 @@ +// Vikunja is a to-do list application to facilitate your life. +// Copyright 2018-present Vikunja and contributors. All rights reserved. +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package handler + +import ( + "net/http" + + "code.vikunja.io/api/pkg/web" +) + +// ErrGenericForbidden indicates the authenticated caller lacks permission +// to perform the requested operation. It is framework-neutral: it implements +// web.HTTPErrorProcessor so any HTTP framework (Echo today, Huma in the +// upcoming /v2 migration) can translate it to the correct response via the +// central error handler. +// +// An optional Message overrides the default "Forbidden" text; this preserves +// the legacy per-site wording on sites like DoReadOne. +type ErrGenericForbidden struct { + // Message overrides the default "Forbidden" text when non-empty. + Message string +} + +// Error implements the error interface. +func (e ErrGenericForbidden) Error() string { + if e.Message != "" { + return e.Message + } + return "Forbidden" +} + +// HTTPError implements web.HTTPErrorProcessor so the central error handler +// can translate the error to an HTTP 403 response regardless of which +// framework surfaces it. +func (e ErrGenericForbidden) HTTPError() web.HTTPError { + msg := e.Message + if msg == "" { + msg = "Forbidden" + } + return web.HTTPError{HTTPCode: http.StatusForbidden, Message: msg} +}