From d2fee799c23b60a6c166854da716ec3286be03ac Mon Sep 17 00:00:00 2001
From: xilesun <2013xile@gmail.com>
Date: Fri, 25 Apr 2025 13:29:18 +0800
Subject: [PATCH] fix(acl): return 403 instead of 401 fro invalid user roles
 after sign-in

---
 .../plugin-acl/src/server/__tests__/setCurrentRole.test.ts  | 4 ++--
 .../plugin-acl/src/server/middlewares/setCurrentRole.ts     | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/packages/plugins/@nocobase/plugin-acl/src/server/__tests__/setCurrentRole.test.ts b/packages/plugins/@nocobase/plugin-acl/src/server/__tests__/setCurrentRole.test.ts
index 872da4d364..4dbf63fdbc 100644
--- a/packages/plugins/@nocobase/plugin-acl/src/server/__tests__/setCurrentRole.test.ts
+++ b/packages/plugins/@nocobase/plugin-acl/src/server/__tests__/setCurrentRole.test.ts
@@ -79,7 +79,7 @@ describe('role', () => {
     const throwFn = vi.fn();
     ctx.throw = throwFn;
     await setCurrentRole(ctx, () => {});
-    expect(throwFn).lastCalledWith(401, {
+    expect(throwFn).lastCalledWith(403, {
       code: 'ROLE_NOT_FOUND_FOR_USER',
       message: 'The role does not belong to the user',
     });
@@ -214,7 +214,7 @@ describe('role', () => {
     const throwFn = vi.fn();
     ctx.throw = throwFn;
     await setCurrentRole(ctx, () => {});
-    expect(throwFn).lastCalledWith(401, {
+    expect(throwFn).lastCalledWith(403, {
       code: 'USER_HAS_NO_ROLES_ERR',
       message: 'The current user has no roles. Please try another account.',
     });
diff --git a/packages/plugins/@nocobase/plugin-acl/src/server/middlewares/setCurrentRole.ts b/packages/plugins/@nocobase/plugin-acl/src/server/middlewares/setCurrentRole.ts
index abe3f416f2..3d45eb8a4e 100644
--- a/packages/plugins/@nocobase/plugin-acl/src/server/middlewares/setCurrentRole.ts
+++ b/packages/plugins/@nocobase/plugin-acl/src/server/middlewares/setCurrentRole.ts
@@ -33,7 +33,7 @@ export async function setCurrentRole(ctx: Context, next) {
   )) as Model[];
   if (!roles.length && !attachRoles.length) {
     ctx.state.currentRole = undefined;
-    return ctx.throw(401, {
+    return ctx.throw(403, {
       code: 'USER_HAS_NO_ROLES_ERR',
       message: ctx.t('The current user has no roles. Please try another account.', { ns: 'acl' }),
     });
@@ -51,7 +51,7 @@ export async function setCurrentRole(ctx: Context, next) {
   if (currentRole) {
     role = userRoles.find((role) => role.name === currentRole)?.name;
     if (!role) {
-      return ctx.throw(401, {
+      return ctx.throw(403, {
         code: 'ROLE_NOT_FOUND_FOR_USER',
         message: ctx.t('The role does not belong to the user', { ns: 'acl' }),
       });
@@ -64,7 +64,7 @@ export async function setCurrentRole(ctx: Context, next) {
   }
   ctx.state.currentRole = role;
   if (!ctx.state.currentRole) {
-    return ctx.throw(401, {
+    return ctx.throw(403, {
       code: 'ROLE_NOT_FOUND_ERR',
       message: ctx.t('The user role does not exist. Please try signing in again', { ns: 'acl' }),
     });