marcel/familienarchiv
1
0
Fork 0
Code Issues 110 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

fix(permissions): redirect read-only users from /documents/new to home
Some checks failed
CI / Unit & Component Tests (pull_request) Has been cancelled
Details
CI / Backend Unit Tests (pull_request) Has been cancelled
Details
CI / E2E Tests (pull_request) Has been cancelled
Details
CI / Unit & Component Tests (push) Successful in 2m5s
Details
CI / Backend Unit Tests (push) Successful in 2m0s
Details
CI / E2E Tests (push) Failing after 21m36s
Details

Browse Source 
throw error(403) kept the URL at /documents/new (the error page renders
in-place). Changed to throw redirect(303, '/') so the URL actually changes,
matching the E2E test expectation that a read-only user is redirected away.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marcel
2026-03-22 23:01:45 +01:00
parent 70d858b65a
commit f98792f10b
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
frontend/src/routes/documents/new/+page.server.ts
View File

@@ -1,4 +1,4 @@
import { error, fail, redirect } from '@sveltejs/kit'; import { fail, redirect } from '@sveltejs/kit';
import { env } from '$env/dynamic/private'; import { env } from '$env/dynamic/private';
import { createApiClient } from '$lib/api.server'; import { createApiClient } from '$lib/api.server';
import { parseBackendError, getErrorMessage } from '$lib/errors'; import { parseBackendError, getErrorMessage } from '$lib/errors';
@@ -16,7 +16,7 @@ export async function load({
locals.user?.groups?.some((g: { permissions: string[] }) => locals.user?.groups?.some((g: { permissions: string[] }) =>
g.permissions.includes('WRITE_ALL') g.permissions.includes('WRITE_ALL')
) ?? false; ) ?? false;
if (!canWrite) throw error(403, 'Forbidden'); if (!canWrite) throw redirect(303, '/');
const senderId = url.searchParams.get('senderId') || ''; const senderId = url.searchParams.get('senderId') || '';
const receiverId = url.searchParams.get('receiverId') || ''; const receiverId = url.searchParams.get('receiverId') || '';