From d1959a258b36f5c85e7e26914bef921defe854a3 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Wed, 21 Jul 2021 13:27:21 -0400
Subject: [PATCH] fix: #9670 return 4xx errors instead of 5xx on flag routes,
 when unauthenticated or not privileged [breaking]

---
 src/controllers/helpers.js | 8 ++------
 src/controllers/mods.js    | 8 +++-----
 2 files changed, 5 insertions(+), 11 deletions(-)

diff --git a/src/controllers/helpers.js b/src/controllers/helpers.js
index bf05a1541d..9e54c27e71 100644
--- a/src/controllers/helpers.js
+++ b/src/controllers/helpers.js
@@ -117,11 +117,7 @@ helpers.buildTerms = function (url, term, query) {
 };
 
 helpers.notAllowed = async function (req, res, error) {
-	const data = await plugins.hooks.fire('filter:helpers.notAllowed', {
-		req: req,
-		res: res,
-		error: error,
-	});
+	({ error } = await plugins.hooks.fire('filter:helpers.notAllowed', { req, res, error }));
 
 	if (req.loggedIn || req.uid === -1) {
 		if (res.locals.isAPI) {
@@ -132,7 +128,7 @@ helpers.notAllowed = async function (req, res, error) {
 			res.status(403).render('403', {
 				path: req.path,
 				loggedIn: req.loggedIn,
-				error: data.error,
+				error,
 				title: '[[global:403.title]]',
 			});
 		}
diff --git a/src/controllers/mods.js b/src/controllers/mods.js
index c323d71132..7980bd90fb 100644
--- a/src/controllers/mods.js
+++ b/src/controllers/mods.js
@@ -27,7 +27,7 @@ modsController.flags.list = async function (req, res, next) {
 	let [,, { filters }] = results;
 
 	if (!(isAdminOrGlobalMod || !!moderatedCids.length)) {
-		return next(new Error('[[error:no-privileges]]'));
+		return helpers.notAllowed(req, res);
 	}
 
 	if (!isAdminOrGlobalMod && moderatedCids.length) {
@@ -113,10 +113,8 @@ modsController.flags.detail = async function (req, res, next) {
 	});
 	results.privileges = { ...results.privileges[0], ...results.privileges[1] };
 
-	if (!results.flagData) {
-		return next(new Error('[[error:invalid-data]]'));
-	} else if (!(results.isAdminOrGlobalMod || !!results.moderatedCids.length)) {
-		return next(new Error('[[error:no-privileges]]'));
+	if (!results.flagData || (!(results.isAdminOrGlobalMod || !!results.moderatedCids.length))) {
+		return next();	// 404
 	}
 
 	if (results.flagData.type === 'user') {