Merge pull request #6945 from owncloud/fix/issue-5938-sajan

fix: return 403 when non-admin tries to do admin requests

changelog/unreleased/fix-401-on-admin-resources-by-nonadmin.md

@@ -0,0 +1,7 @@
+Bugfix: Fix restarting of postprocessing
+
+We fixed a bug where non-admin requests to admin resources would get 401 Unauthorized.
+Now, the server sends 403 Forbidden response.
+
+https://github.com/owncloud/ocis/pull/6945
+https://github.com/owncloud/ocis/issues/5938

services/graph/pkg/middleware/requireadmin.go

@@ -48,7 +48,7 @@ func RequireAdmin(rm *roles.Manager, logger log.Logger) func(next http.Handler)
 				return
 			}
 
-			errorcode.AccessDenied.Render(w, r, http.StatusUnauthorized, "Unauthorized")
+			errorcode.AccessDenied.Render(w, r, http.StatusForbidden, "Forbidden")
 		})
 	}
 }

tests/acceptance/expected-failures-localAPI-on-OCIS-storage.md

@@ -74,30 +74,6 @@ The expected failures in this file are from features in the owncloud/ocis repo.
 
 - [apiGraphUserGroup/addUserToGroup.feature:289](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraphUserGroup/addUserToGroup.feature#L289)
 
-#### [API requests from an unauthorized user should return 403](https://github.com/owncloud/ocis/issues/5938)
-
-- [apiGraphUserGroup/addUserToGroup.feature:152](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraphUserGroup/addUserToGroup.feature#L152)
-- [apiGraphUserGroup/addUserToGroup.feature:153](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraphUserGroup/addUserToGroup.feature#L153)
-- [apiGraphUserGroup/addUserToGroup.feature:154](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraphUserGroup/addUserToGroup.feature#L154)
-- [apiGraphUserGroup/addUserToGroup.feature:188](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraphUserGroup/addUserToGroup.feature#L188)
-- [apiGraphUserGroup/addUserToGroup.feature:189](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraphUserGroup/addUserToGroup.feature#L189)
-- [apiGraphUserGroup/addUserToGroup.feature:190](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraphUserGroup/addUserToGroup.feature#L190)
-- [apiGraphUserGroup/createGroup.feature:42](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraphUserGroup/createGroup.feature#L42)
-- [apiGraphUserGroup/createGroup.feature:43](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraphUserGroup/createGroup.feature#L43)
-- [apiGraphUserGroup/createGroup.feature:44](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraphUserGroup/createGroup.feature#L44)
-- [apiGraphUserGroup/deleteGroup.feature:63](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraphUserGroup/deleteGroup.feature#L63)
-- [apiGraphUserGroup/deleteGroup.feature:62](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraphUserGroup/deleteGroup.feature#L62)
-- [apiGraphUserGroup/deleteGroup.feature:64](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraphUserGroup/deleteGroup.feature#L64)
-- [apiGraphUserGroup/editGroup.feature:35](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraphUserGroup/editGroup.feature#L35)
-- [apiGraphUserGroup/editGroup.feature:34](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraphUserGroup/editGroup.feature#L34)
-- [apiGraphUserGroup/editGroup.feature:36](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraphUserGroup/editGroup.feature#L36)
-- [apiGraphUserGroup/getGroup.feature:107](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraphUserGroup/getGroup.feature#L107)
-- [apiGraphUserGroup/getGroup.feature:108](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraphUserGroup/getGroup.feature#L108)
-- [apiGraphUserGroup/getGroup.feature:109](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraphUserGroup/getGroup.feature#L109)
-- [apiGraphUserGroup/removeUserFromGroup.feature:193](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraphUserGroup/removeUserFromGroup.feature#L193)
-- [apiGraphUserGroup/removeUserFromGroup.feature:194](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraphUserGroup/removeUserFromGroup.feature#L194)
-- [apiGraphUserGroup/removeUserFromGroup.feature:195](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraphUserGroup/removeUserFromGroup.feature#L195)
-
 #### [API requests for a non-existent resources should return 404](https://github.com/owncloud/ocis/issues/5939)
 
 - [apiGraphUserGroup/addUserToGroup.feature:205](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraphUserGroup/addUserToGroup.feature#L205)
@@ -306,7 +282,6 @@ The expected failures in this file are from features in the owncloud/ocis repo.
 - [apiSpacesDavOperation/moveByFileId.feature:208](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpacesDavOperation/moveByFileId.feature#L208)
 - [apiSpacesDavOperation/moveByFileId.feature:209](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpacesDavOperation/moveByFileId.feature#L209)
 
-
 ### [OCM. sharing issues](https://github.com/owncloud/ocis/issues/9534)
 
 - [apiOcm/share.feature:12](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiOcm/share.feature#L12)

tests/acceptance/features/apiGraph/changeRole.feature

@@ -51,7 +51,7 @@ Feature: change role
     Given the administrator has assigned the role "<user-role>" to user "Alice" using the Graph API
     And user "Brian" has been created with default attributes and without skeleton files
     When user "Alice" tries to change the role of user "Alice" to role "Admin" using the Graph API
-    Then the HTTP status code should be "401"
+    Then the HTTP status code should be "403"
     And user "Brian" should have the role "User"
     Examples:
       | user-role   |

tests/acceptance/features/apiGraphUserGroup/addUserToGroup.feature

@@ -140,7 +140,7 @@ Feature: add users to group
             "properties": {
               "message": {
                 "type": "string",
-                "enum": ["Unauthorized"]
+                "enum": ["Forbidden"]
               }
             }
           }
@@ -176,7 +176,7 @@ Feature: add users to group
             "properties": {
               "message" : {
                 "type": "string",
-                "enum": ["Unauthorized"]
+                "enum": ["Forbidden"]
               }
             }
           }

tests/acceptance/features/apiGraphUserGroup/createUser.feature

@@ -56,7 +56,7 @@ Feature: create user
       | email          | @example.org |
       | password       | 123          |
       | accountEnabled | true         |
-    Then the HTTP status code should be "401"
+    Then the HTTP status code should be "403"
     And user "user" should not exist
     Examples:
       | user-role   |

tests/acceptance/features/apiGraphUserGroup/deleteUser.feature

@@ -60,7 +60,7 @@ Feature: delete user
   Scenario Outline: non-admin user tries to delete his/her own account
     Given the administrator has assigned the role "<user-role>" to user "Alice" using the Graph API
     When the user "Alice" deletes a user "Alice" using the Graph API
-    Then the HTTP status code should be "401"
+    Then the HTTP status code should be "403"
     And user "Alice" should exist
     Examples:
       | user-role   |
@@ -78,7 +78,7 @@ Feature: delete user
   Scenario Outline: non-admin user tries to delete a nonexistent user
     Given the administrator has assigned the role "<user-role>" to user "Alice" using the Graph API
     When the user "Alice" tries to delete a nonexistent user using the Graph API
-    Then the HTTP status code should be "401"
+    Then the HTTP status code should be "403"
     Examples:
       | user-role   |
       | Space Admin |
@@ -91,7 +91,7 @@ Feature: delete user
     And the administrator has assigned the role "<user-role-2>" to user "Brian" using the Graph API
     And the administrator has assigned the role "<user-role>" to user "Alice" using the Graph API
     When the user "Alice" deletes a user "Brian" using the Graph API
-    Then the HTTP status code should be "401"
+    Then the HTTP status code should be "403"
     And user "Brian" should exist
     Examples:
       | user-role   | user-role-2 |
@@ -126,7 +126,7 @@ Feature: delete user
     And the administrator has assigned the role "<user-role>" to user "Carol" using the Graph API
     And the user "Alice" has disabled user "Brian"
     When the user "Carol" deletes a user "Brian" using the Graph API
-    Then the HTTP status code should be "401"
+    Then the HTTP status code should be "403"
     And user "Brian" should exist
     Examples:
       | user-role   | user-role-2 |

tests/acceptance/features/apiGraphUserGroup/editUser.feature

@@ -123,7 +123,7 @@ Feature: edit user
   Scenario Outline: normal user should not be able to change his/her own display name
     Given the administrator has assigned the role "<user-role>" to user "Brian" using the Graph API
     When the user "Brian" tries to change the display name of user "Brian" to "Brian Murphy" using the Graph API
-    Then the HTTP status code should be "401"
+    Then the HTTP status code should be "403"
     And the user information of "Alice" should match this JSON schema
       """
       {
@@ -155,7 +155,7 @@ Feature: edit user
       | password    | 1234              |
     And the administrator has assigned the role "<user-role-2>" to user "Carol" using the Graph API
     When the user "Brian" tries to change the display name of user "Carol" to "Alice Hansen" using the Graph API
-    Then the HTTP status code should be "401"
+    Then the HTTP status code should be "403"
     And the user information of "Carol" should match this JSON schema
       """
       {
@@ -204,7 +204,7 @@ Feature: edit user
     And the administrator has assigned the role "<user-role-2>" to user "Carol" using the Graph API
     And user "Carol" has uploaded file with content "test file for reset password" to "/resetpassword.txt"
     When the user "Brian" resets the password of user "Carol" to "newpassword" using the Graph API
-    Then the HTTP status code should be "401"
+    Then the HTTP status code should be "403"
     And the content of file "resetpassword.txt" for user "Carol" using password "1234" should be "test file for reset password"
     But user "Carol" using password "newpassword" should not be able to download file "resetpassword.txt"
     Examples:
@@ -264,7 +264,7 @@ Feature: edit user
     Given user "Carol" has been created with default attributes and without skeleton files
     And the administrator has assigned the role "<user-role>" to user "Brian" using the Graph API
     When the user "Brian" tries to disable user "Carol" using the Graph API
-    Then the HTTP status code should be "401"
+    Then the HTTP status code should be "403"
     When user "Alice" gets information of user "Carol" using Graph API
     Then the HTTP status code should be "200"
     And the JSON data of the response should match
@@ -347,7 +347,7 @@ Feature: edit user
     And the user "Alice" has disabled user "Carol"
     And the administrator has assigned the role "<user-role>" to user "Brian" using the Graph API
     When the user "Brian" tries to enable user "Carol" using the Graph API
-    Then the HTTP status code should be "401"
+    Then the HTTP status code should be "403"
     When user "Alice" gets information of user "Carol" using Graph API
     Then the HTTP status code should be "200"
     And the JSON data of the response should match

tests/acceptance/features/apiGraphUserGroup/getGroup.feature

@@ -95,7 +95,7 @@ Feature: get groups and their members
             "properties": {
               "message": {
                 "type": "string",
-                "enum": ["Unauthorized"]
+                "enum": ["Forbidden"]
               }
             }
           }

tests/acceptance/features/apiGraphUserGroup/removeUserFromGroup.feature

@@ -180,7 +180,7 @@ Feature: remove a user from a group
             "properties": {
               "message": {
                 "type": "string",
-                "enum": ["Unauthorized"]
+                "enum": ["Forbidden"]
               }
             }
           }

tests/acceptance/features/apiGraphUserGroup/searchUserIncludingEmail.feature

@@ -39,7 +39,7 @@ Feature: edit/search user including email
   Scenario Outline: normal user should not be able to change their email address
     Given the administrator has assigned the role "<user-role>" to user "Brian" using the Graph API
     When the user "Brian" tries to change the email of user "Brian" to "newemail@example.com" using the Graph API
-    Then the HTTP status code should be "401"
+    Then the HTTP status code should be "403"
     And the user information of "Brian" should match this JSON schema
       """
       {
@@ -68,7 +68,7 @@ Feature: edit/search user including email
       | password    | 1234              |
     And the administrator has assigned the role "<user-role-2>" to user "Carol" using the Graph API
     When the user "Brian" tries to change the email of user "Carol" to "newemail@example.com" using the Graph API
-    Then the HTTP status code should be "401"
+    Then the HTTP status code should be "403"
     And the user information of "Carol" should match this JSON schema
       """
       {