marcel/mealprep
1
0
Fork 0
Code Issues 22 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): use generic forbidden message to avoid leaking required role

Browse Source 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marcel Raddatz
2026-04-06 19:46:24 +02:00
parent 40ee4dad53
commit 40a6a0e92d
2 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
backend/src/main/java/com/recipeapp/common/HouseholdRoleInterceptor.java
View File

@@ -35,7 +35,7 @@ public class HouseholdRoleInterceptor implements HandlerInterceptor {
String actualRole = householdResolver.resolveRole(auth.getName()); String actualRole = householdResolver.resolveRole(auth.getName());
if (!annotation.value().equals(actualRole)) { if (!annotation.value().equals(actualRole)) {
throw new ForbiddenException("Requires household role: " + annotation.value()); throw new ForbiddenException("Insufficient permissions");
} }
return true; return true;

2
backend/src/test/java/com/recipeapp/common/HouseholdRoleInterceptorTest.java
View File

@@ -62,7 +62,7 @@ class HouseholdRoleInterceptorTest {
assertThatThrownBy(() -> interceptor.preHandle(request, response, handlerMethod)) assertThatThrownBy(() -> interceptor.preHandle(request, response, handlerMethod))
.isInstanceOf(ForbiddenException.class) .isInstanceOf(ForbiddenException.class)
.hasMessageContaining("planner"); .hasMessage("Insufficient permissions");
} }
@Test @Test