Alerting: Fix fine-grained rule access control to use 403 for authorization error (#79239)

* use 403 for authorization error * update silences API * add ForbiddenError to rule API responses
2025-02-25 18:55:37 -06:00 · 2023-12-07 13:43:58 -05:00
parent aa12c6c772
commit 2be7605794
17 changed files with 629 additions and 444 deletions
--- a/pkg/tests/api/alerting/api_alertmanager_test.go
+++ b/pkg/tests/api/alerting/api_alertmanager_test.go
@@ -1049,7 +1049,7 @@ func TestIntegrationAlertRuleCRUD(t *testing.T) {
 				},
 				expectedCode: func() int {
 					if setting.IsEnterprise {
-						return http.StatusUnauthorized
+						return http.StatusForbidden
 					}
 					return http.StatusBadRequest
 				}(),
@@ -2285,7 +2285,7 @@ func TestIntegrationEval(t *testing.T) {
 			expectedResponse: func() string { return "" },
 			expectedStatusCode: func() int {
 				if setting.IsEnterprise {
-					return http.StatusUnauthorized
+					return http.StatusForbidden
 				}
 				return http.StatusBadRequest
 			},
--- a/pkg/tests/api/alerting/api_backtesting_test.go
+++ b/pkg/tests/api/alerting/api_backtesting_test.go
@@ -124,7 +124,7 @@ func TestBacktesting(t *testing.T) {
 		t.Run("fail if can't query data sources", func(t *testing.T) {
 			status, body := testUserApiCli.SubmitRuleForBacktesting(t, queryRequest)
 			require.Contains(t, body, "user is not authorized to access rule group")
-			require.Equalf(t, http.StatusUnauthorized, status, "Response: %s", body)
+			require.Equalf(t, http.StatusForbidden, status, "Response: %s", body)
 		})
 	})
 }
--- a/pkg/tests/api/alerting/api_ruler_test.go
+++ b/pkg/tests/api/alerting/api_ruler_test.go
@@ -285,7 +285,7 @@ func TestIntegrationAlertRulePermissions(t *testing.T) {
 				ExportQueryParams: apimodels.ExportQueryParams{Format: "json"},
 				FolderUID:         []string{"folder2"},
 			})
-			assert.Equal(t, http.StatusUnauthorized, status)
+			assert.Equal(t, http.StatusForbidden, status)
 		})

 		t.Run("Export from one group", func(t *testing.T) {