From 82009494b5d17fe01cf704df13efdaa84530aba3 Mon Sep 17 00:00:00 2001
From: Stanislaw Grams <stanislawgrams@gmail.com>
Date: Fri, 13 Feb 2026 08:53:46 +0100
Subject: [PATCH] [fix](trx-frontend-http): return 403 for unrestricted RX
 users on control endpoints

When rx_passphrase is not set, RX users have an implicit role without
a session. They should get 403 on control endpoints, not 401.

Previously, unrestricted RX users (with no session) trying control
endpoints would get 401 Unauthorized, triggering login redirect.

Now they get 403 Forbidden with "Insufficient permissions" hint.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Stanislaw Grams <stanislawgrams@gmail.com>
---
 src/trx-client/trx-frontend/trx-frontend-http/src/auth.rs | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/trx-client/trx-frontend/trx-frontend-http/src/auth.rs b/src/trx-client/trx-frontend/trx-frontend-http/src/auth.rs
index f6979a5..8c6ae38 100644
--- a/src/trx-client/trx-frontend/trx-frontend-http/src/auth.rs
+++ b/src/trx-client/trx-frontend/trx-frontend-http/src/auth.rs
@@ -536,8 +536,14 @@ where
                         Err(actix_web::error::ErrorForbidden(
                             "Insufficient permissions".to_string(),
                         ))
+                    } else if allow_unrestricted_read {
+                        // No session but rx access is unrestricted - 403 Forbidden
+                        // (user has implicit rx role from unrestricted access)
+                        Err(actix_web::error::ErrorForbidden(
+                            "Insufficient permissions".to_string(),
+                        ))
                     } else {
-                        // No session - 401 Unauthorized
+                        // No session and no unrestricted access - 401 Unauthorized
                         Err(actix_web::error::ErrorUnauthorized(
                             "Authentication required".to_string(),
                         ))