[fix](trx-frontend-http): return 403 for insufficient permissions, not 401

Fix auth middleware to return correct HTTP status codes: - 401 Unauthorized: No session (not authenticated) - 403 Forbidden: Has session but insufficient role Previously, all auth errors returned 401, which caused the frontend to redirect rx users to login when they tried control endpoints. Now rx users scrolling jog wheel/frequency will get a "Insufficient permissions" hint instead of being redirected to login. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Stanislaw Grams <stanislawgrams@gmail.com>
2026-02-13 08:52:38 +01:00
parent 00f82646c2
commit 65662a4f9b
1 changed files with 12 additions and 4 deletions
@@ -529,11 +529,19 @@ where
            }

            if !access.allows(role) {
-                // Access denied - return 401/403
+                // Access denied
                return Box::pin(async move {
-                    Err(actix_web::error::ErrorUnauthorized(
-                        "Unauthorized".to_string(),
-                    ))
+                    if role.is_some() {
+                        // Has session but insufficient permissions - 403 Forbidden
+                        Err(actix_web::error::ErrorForbidden(
+                            "Insufficient permissions".to_string(),
+                        ))
+                    } else {
+                        // No session - 401 Unauthorized
+                        Err(actix_web::error::ErrorUnauthorized(
+                            "Authentication required".to_string(),
+                        ))
+                    }
                });
            }
        }