diff --git a/server/router/api/v1/idp_service.go b/server/router/api/v1/idp_service.go index 2b48d2c10..e8f055c40 100644 --- a/server/router/api/v1/idp_service.go +++ b/server/router/api/v1/idp_service.go @@ -18,7 +18,10 @@ func (s *APIV1Service) CreateIdentityProvider(ctx context.Context, request *v1pb if err != nil { return nil, status.Errorf(codes.Internal, "failed to get user: %v", err) } - if currentUser == nil || currentUser.Role != store.RoleHost { + if currentUser == nil { + return nil, status.Errorf(codes.Unauthenticated, "user not authenticated") + } + if currentUser.Role != store.RoleHost { return nil, status.Errorf(codes.PermissionDenied, "permission denied") } @@ -84,7 +87,10 @@ func (s *APIV1Service) UpdateIdentityProvider(ctx context.Context, request *v1pb if err != nil { return nil, status.Errorf(codes.Internal, "failed to get user: %v", err) } - if currentUser == nil || currentUser.Role != store.RoleHost { + if currentUser == nil { + return nil, status.Errorf(codes.Unauthenticated, "user not authenticated") + } + if currentUser.Role != store.RoleHost { return nil, status.Errorf(codes.PermissionDenied, "permission denied") } @@ -125,7 +131,10 @@ func (s *APIV1Service) DeleteIdentityProvider(ctx context.Context, request *v1pb if err != nil { return nil, status.Errorf(codes.Internal, "failed to get user: %v", err) } - if currentUser == nil || currentUser.Role != store.RoleHost { + if currentUser == nil { + return nil, status.Errorf(codes.Unauthenticated, "user not authenticated") + } + if currentUser.Role != store.RoleHost { return nil, status.Errorf(codes.PermissionDenied, "permission denied") } diff --git a/server/router/api/v1/instance_service.go b/server/router/api/v1/instance_service.go index 82830112e..049f9f3b6 100644 --- a/server/router/api/v1/instance_service.go +++ b/server/router/api/v1/instance_service.go @@ -70,7 +70,10 @@ func (s *APIV1Service) GetInstanceSetting(ctx context.Context, request *v1pb.Get if err != nil { return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err) } - if user == nil || user.Role != store.RoleHost { + if user == nil { + return nil, status.Errorf(codes.Unauthenticated, "user not authenticated") + } + if user.Role != store.RoleHost { return nil, status.Errorf(codes.PermissionDenied, "permission denied") } } diff --git a/server/router/api/v1/memo_service.go b/server/router/api/v1/memo_service.go index f407b009e..db6dd141e 100644 --- a/server/router/api/v1/memo_service.go +++ b/server/router/api/v1/memo_service.go @@ -281,7 +281,7 @@ func (s *APIV1Service) GetMemo(ctx context.Context, request *v1pb.GetMemoRequest return nil, status.Errorf(codes.Internal, "failed to get user") } if user == nil { - return nil, status.Errorf(codes.PermissionDenied, "permission denied") + return nil, status.Errorf(codes.Unauthenticated, "user not authenticated") } if memo.Visibility == store.Private && memo.CreatorID != user.ID { return nil, status.Errorf(codes.PermissionDenied, "permission denied") diff --git a/server/router/api/v1/test/idp_service_test.go b/server/router/api/v1/test/idp_service_test.go index d60d42de0..302a2737e 100644 --- a/server/router/api/v1/test/idp_service_test.go +++ b/server/router/api/v1/test/idp_service_test.go @@ -97,7 +97,7 @@ func TestCreateIdentityProvider(t *testing.T) { _, err := ts.Service.CreateIdentityProvider(ctx, req) require.Error(t, err) - require.Contains(t, err.Error(), "permission denied") + require.Contains(t, err.Error(), "user not authenticated") }) } @@ -547,6 +547,6 @@ func TestIdentityProviderPermissions(t *testing.T) { _, err := ts.Service.CreateIdentityProvider(ctx, req) require.Error(t, err) - require.Contains(t, err.Error(), "permission denied") + require.Contains(t, err.Error(), "user not authenticated") }) } diff --git a/server/router/api/v1/user_service.go b/server/router/api/v1/user_service.go index 6260a9547..9ef0d277b 100644 --- a/server/router/api/v1/user_service.go +++ b/server/router/api/v1/user_service.go @@ -192,6 +192,9 @@ func (s *APIV1Service) UpdateUser(ctx context.Context, request *v1pb.UpdateUserR if err != nil { return nil, status.Errorf(codes.Internal, "failed to get user: %v", err) } + if currentUser == nil { + return nil, status.Errorf(codes.Unauthenticated, "user not authenticated") + } // Check permission. // Only allow admin or self to update user. if currentUser.ID != userID && currentUser.Role != store.RoleAdmin && currentUser.Role != store.RoleHost { @@ -1240,6 +1243,9 @@ func (s *APIV1Service) ListUserNotifications(ctx context.Context, request *v1pb. if err != nil { return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err) } + if currentUser == nil { + return nil, status.Errorf(codes.Unauthenticated, "user not authenticated") + } if currentUser.ID != userID { return nil, status.Errorf(codes.PermissionDenied, "permission denied") } @@ -1287,6 +1293,9 @@ func (s *APIV1Service) UpdateUserNotification(ctx context.Context, request *v1pb return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err) } + if currentUser == nil { + return nil, status.Errorf(codes.Unauthenticated, "user not authenticated") + } // Verify ownership before updating inboxes, err := s.Store.ListInboxes(ctx, &store.FindInbox{ ID: ¬ificationID, @@ -1352,6 +1361,9 @@ func (s *APIV1Service) DeleteUserNotification(ctx context.Context, request *v1pb return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err) } + if currentUser == nil { + return nil, status.Errorf(codes.Unauthenticated, "user not authenticated") + } // Verify ownership before deletion inboxes, err := s.Store.ListInboxes(ctx, &store.FindInbox{ ID: ¬ificationID,