From d1959a258b36f5c85e7e26914bef921defe854a3 Mon Sep 17 00:00:00 2001 From: Julian Lam Date: Wed, 21 Jul 2021 13:27:21 -0400 Subject: [PATCH] fix: #9670 return 4xx errors instead of 5xx on flag routes, when unauthenticated or not privileged [breaking] --- src/controllers/helpers.js | 8 ++------ src/controllers/mods.js | 8 +++----- 2 files changed, 5 insertions(+), 11 deletions(-) diff --git a/src/controllers/helpers.js b/src/controllers/helpers.js index bf05a1541d..9e54c27e71 100644 --- a/src/controllers/helpers.js +++ b/src/controllers/helpers.js @@ -117,11 +117,7 @@ helpers.buildTerms = function (url, term, query) { }; helpers.notAllowed = async function (req, res, error) { - const data = await plugins.hooks.fire('filter:helpers.notAllowed', { - req: req, - res: res, - error: error, - }); + ({ error } = await plugins.hooks.fire('filter:helpers.notAllowed', { req, res, error })); if (req.loggedIn || req.uid === -1) { if (res.locals.isAPI) { @@ -132,7 +128,7 @@ helpers.notAllowed = async function (req, res, error) { res.status(403).render('403', { path: req.path, loggedIn: req.loggedIn, - error: data.error, + error, title: '[[global:403.title]]', }); } diff --git a/src/controllers/mods.js b/src/controllers/mods.js index c323d71132..7980bd90fb 100644 --- a/src/controllers/mods.js +++ b/src/controllers/mods.js @@ -27,7 +27,7 @@ modsController.flags.list = async function (req, res, next) { let [,, { filters }] = results; if (!(isAdminOrGlobalMod || !!moderatedCids.length)) { - return next(new Error('[[error:no-privileges]]')); + return helpers.notAllowed(req, res); } if (!isAdminOrGlobalMod && moderatedCids.length) { @@ -113,10 +113,8 @@ modsController.flags.detail = async function (req, res, next) { }); results.privileges = { ...results.privileges[0], ...results.privileges[1] }; - if (!results.flagData) { - return next(new Error('[[error:invalid-data]]')); - } else if (!(results.isAdminOrGlobalMod || !!results.moderatedCids.length)) { - return next(new Error('[[error:no-privileges]]')); + if (!results.flagData || (!(results.isAdminOrGlobalMod || !!results.moderatedCids.length))) { + return next(); // 404 } if (results.flagData.type === 'user') {