irl/cloud-api
1
0
Fork 0
forked from sr2/cloud-api
Code Pull requests Activity

feat: more accurate status codes

Browse source 
403 Forbidden replacing many 401 Unauthorized usages.
This commit is contained in:
Chris Milne 2026-06-11 14:58:05 +01:00
parent b3ae655009
commit c2e035dede
11 changed files with 81 additions and 74 deletions
Download patch file Download diff file Expand all files Collapse all files

16
src/iam/router.py
View file

@ -27,7 +27,6 @@ from src.schemas import GroupSummary, OrgSummary, ResourceName
from src.service.exceptions import ServiceNotFoundException
from src.exceptions import ConflictException, ForbiddenException
from src.database import db_dependency
from src.auth.exceptions import UnauthorizedException
from src.auth.service import claims_dependency
from src.auth.dependencies import (
org_model_root_claim_query_dependency,
@ -171,7 +170,7 @@ async def get_group_permissions(
Gets a list of permissions granted to the group. Also returns a summary for the org and group.
"""
if group_model.org_id != org_model.id:
raise UnauthorizedException("Group does not belong to this organization")
raise ForbiddenException("Group does not belong to this organization")
return {
"organisation": org_model,
"group": group_model,
@ -198,7 +197,7 @@ async def get_group_users(
Gets a list of users assigned to the group. Also returns a summary for the org and group.
"""
if group_model.org_id != org_model.id:
raise UnauthorizedException("Group does not belong to this organization")
raise ForbiddenException("Group does not belong to this organization")
return {
"organisation": org_model,
"group": group_model,
@ -266,7 +265,7 @@ async def add_group_permission(
Grants a permission to a group. Returns a list of the permissions in the group as well as a summary for the org and group.
"""
if group_model.org_id != org_model.id:
raise UnauthorizedException("Group does not belong to this organization")
raise ForbiddenException("Group does not belong to this organization")
if perm_model in group_model.permission_rel:
raise ConflictException("Group already has this permission")
@ -311,7 +310,7 @@ async def add_group_user(
The user's email address must match the email on their OIDC profile.
"""
if group_model.org_id != org_model.id:
raise UnauthorizedException("Group does not belong to this organization")
raise ForbiddenException("Group does not belong to this organization")
if user_model in group_model.user_rel:
raise ConflictException("User already in group")
@ -351,7 +350,7 @@ async def remove_group_permissions(
Removes a permission from the group.
"""
if group_model.org_id != org_model.id:
raise UnauthorizedException("Group does not belong to this organization")
raise ForbiddenException("Group does not belong to this organization")
group_model.permission_rel.remove(perm_model)
db.flush()
@ -370,8 +369,9 @@ async def remove_group_permissions(
response_model=IAMDeleteGroupUserResponse,
responses={
status.HTTP_401_UNAUTHORIZED: {
"description": "Group not in org | User not authenticated | User does not have permission"
"description": "User not authenticated | User does not have permission"
},
status.HTTP_403_FORBIDDEN: {"description": "Group not in org"},
},
)
async def remove_group_user(
@ -384,7 +384,7 @@ async def remove_group_user(
Removes a user from the group.
"""
if group_model.org_id != org_model.id:
raise UnauthorizedException("Group does not belong to this organization")
raise ForbiddenException("Group does not belong to this organization")
user_model.group_rel.remove(group_model)
db.flush()