graph/users: Fix http status codes for unprivileged requests

Neither 'BadRequest' (as expected in the unit test) nor 'Unauthorized' (as expected in the API tests) seem correct here. We're no returning 'Forbidden' when an unprivileged users issues a GetUsers request that it is not allowed to perform.
2026-05-04 01:39:16 -05:00 · 2023-12-06 13:35:48 +01:00
parent 4cb6d99e88
commit 6fab0ad05a
3 changed files with 7 additions and 7 deletions
@@ -226,14 +226,14 @@ func (g Graph) GetUsers(w http.ResponseWriter, r *http.Request) {
 	if !ctxHasFullPerms && (odataReq.Query == nil || odataReq.Query.Search == nil || len(odataReq.Query.Search.RawValue) < g.config.API.IdentitySearchMinLength) {
 		// for regular user the search term must have a minimum length
 		logger.Debug().Interface("query", r.URL.Query()).Msgf("search with less than %d chars for a regular user", g.config.API.IdentitySearchMinLength)
-		errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest, "search term too short")
+		errorcode.AccessDenied.Render(w, r, http.StatusForbidden, "search term too short")
 		return
 	}

 	if !ctxHasFullPerms && (odataReq.Query.Filter != nil || odataReq.Query.Apply != nil || odataReq.Query.Expand != nil || odataReq.Query.Compute != nil) {
 		// regular users can't use filter, apply, expand and compute
 		logger.Debug().Interface("query", r.URL.Query()).Msg("forbidden query elements for a regular user")
-		errorcode.InvalidRequest.Render(w, r, http.StatusBadRequest, "query has forbidden elements for regular users")
+		errorcode.AccessDenied.Render(w, r, http.StatusForbidden, "query has forbidden elements for regular users")
 		return
 	}

@@ -269,14 +269,14 @@ var _ = Describe("Users", func() {
 			r := httptest.NewRequest(http.MethodGet, "/graph/v1.0/users", nil)
 			svc.GetUsers(rr, r)

-			Expect(rr.Code).To(Equal(http.StatusBadRequest))
+			Expect(rr.Code).To(Equal(http.StatusForbidden))
 		})
 		It("denies using to short search terms for unprivileged users", func() {
 			permissionService.On("GetPermissionByID", mock.Anything, mock.Anything).Return(&settings.GetPermissionByIDResponse{}, nil)
 			r := httptest.NewRequest(http.MethodGet, "/graph/v1.0/users?$search=a", nil)
 			svc.GetUsers(rr, r)

-			Expect(rr.Code).To(Equal(http.StatusBadRequest))
+			Expect(rr.Code).To(Equal(http.StatusForbidden))
 		})
 		It("only returns a restricted set of attributes for unprivileged users", func() {
 			permissionService.On("GetPermissionByID", mock.Anything, mock.Anything).Return(&settings.GetPermissionByIDResponse{}, nil)
@@ -229,7 +229,7 @@ Feature: get users
  Scenario Outline: non-admin user tries to get all users
    Given the administrator has assigned the role "<userRole>" to user "Alice" using the Graph API
    When user "Brian" tries to get all users using the Graph API
-    Then the HTTP status code should be "401"
+    Then the HTTP status code should be "403"
    And the JSON data of the response should match
    """
    {
@@ -831,7 +831,7 @@ Feature: get users
    And group "tea-lover" has been created
    And user "Alice" has been added to group "tea-lover"
    When the user "Brian" gets all users of the group "tea-lover" using the Graph API
-    Then the HTTP status code should be "401"
+    Then the HTTP status code should be "403"
    And the JSON data of the response should match
    """
    {
@@ -968,7 +968,7 @@ Feature: get users
  Scenario Outline: non-admin user tries to get users with a certain role
    Given the administrator has assigned the role "<userRole>" to user "Alice" using the Graph API
    When the user "Alice" gets all users with role "<role>" using the Graph API
-    Then the HTTP status code should be "401"
+    Then the HTTP status code should be "403"
    And the JSON data of the response should match
    """
    {