sjg/trx-rs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[fix](trx-frontend-http): return 403 for unrestricted RX users on control endpoints

Browse Source 
When rx_passphrase is not set, RX users have an implicit role without
a session. They should get 403 on control endpoints, not 401.

Previously, unrestricted RX users (with no session) trying control
endpoints would get 401 Unauthorized, triggering login redirect.

Now they get 403 Forbidden with "Insufficient permissions" hint.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Stanislaw Grams <stanislawgrams@gmail.com>
This commit is contained in:
Stan Grams
2026-02-13 08:53:46 +01:00
parent 65662a4f9b
commit 82009494b5
1 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/trx-client/trx-frontend/trx-frontend-http/src/auth.rs
+7 -1
View File
@@ -536,8 +536,14 @@ where
Err(actix_web::error::ErrorForbidden( Err(actix_web::error::ErrorForbidden(
"Insufficient permissions".to_string(), "Insufficient permissions".to_string(),
)) ))
} else if allow_unrestricted_read {
// No session but rx access is unrestricted - 403 Forbidden
// (user has implicit rx role from unrestricted access)
Err(actix_web::error::ErrorForbidden(
"Insufficient permissions".to_string(),
))
} else { } else {
// No session - 401 Unauthorized // No session and no unrestricted access - 401 Unauthorized
Err(actix_web::error::ErrorUnauthorized( Err(actix_web::error::ErrorUnauthorized(
"Authentication required".to_string(), "Authentication required".to_string(),
)) ))