fix: #9670 return 4xx errors instead of 5xx on flag routes, when unauthenticated or not privileged [breaking]

src/controllers/helpers.js

@@ -117,11 +117,7 @@ helpers.buildTerms = function (url, term, query) {
 };
 
 helpers.notAllowed = async function (req, res, error) {
-	const data = await plugins.hooks.fire('filter:helpers.notAllowed', {
+	({ error } = await plugins.hooks.fire('filter:helpers.notAllowed', { req, res, error }));
-		req: req,
-		res: res,
-		error: error,
-	});
 
 	if (req.loggedIn || req.uid === -1) {
 		if (res.locals.isAPI) {
@@ -132,7 +128,7 @@ helpers.notAllowed = async function (req, res, error) {
 			res.status(403).render('403', {
 				path: req.path,
 				loggedIn: req.loggedIn,
-				error: data.error,
+				error,
 				title: '[[global:403.title]]',
 			});
 		}

src/controllers/mods.js

@@ -27,7 +27,7 @@ modsController.flags.list = async function (req, res, next) {
 	let [,, { filters }] = results;
 
 	if (!(isAdminOrGlobalMod || !!moderatedCids.length)) {
-		return next(new Error('[[error:no-privileges]]'));
+		return helpers.notAllowed(req, res);
 	}
 
 	if (!isAdminOrGlobalMod && moderatedCids.length) {
@@ -113,10 +113,8 @@ modsController.flags.detail = async function (req, res, next) {
 	});
 	results.privileges = { ...results.privileges[0], ...results.privileges[1] };
 
-	if (!results.flagData) {
+	if (!results.flagData || (!(results.isAdminOrGlobalMod || !!results.moderatedCids.length))) {
-		return next(new Error('[[error:invalid-data]]'));
+		return next();	// 404
-	} else if (!(results.isAdminOrGlobalMod || !!results.moderatedCids.length)) {
-		return next(new Error('[[error:no-privileges]]'));
 	}
 
 	if (results.flagData.type === 'user') {