feat(xo-server/api): don't filters error sent to admin users (#6262)

Previous behavior was hiding all errors not explicitly dedicated to be sent to API users and replacing them with an *unknown error from the peer*. This was done to avoid leaking sensitive information, but it often hides important info. Administrators can already see the raw errors in Settings/Logs, therefore it makes sense to not hide them for these users.
2022-06-07 13:34:34 +02:00 · 2022-06-07 13:34:34 +02:00 · dd5e11e835
commit dd5e11e835
parent 3d43550ffe
2 changed files with 7 additions and 0 deletions
--- a/CHANGELOG.unreleased.md
+++ b/CHANGELOG.unreleased.md
@ -7,6 +7,8 @@

 > Users must be able to say: “Nice enhancement, I'm eager to test it”

+- Show raw errors to administrators instead of _unknown error from the peer_ (PR [#6260](https://github.com/vatesfr/xen-orchestra/pull/6260))
+
 ### Bug fixes

 > Users must be able to say: “I had this issue, happy to know it's fixed”
--- a/packages/xo-server/src/xo-mixins/api.mjs
+++ b/packages/xo-server/src/xo-mixins/api.mjs
@ -383,6 +383,11 @@ export default class Api {
        })
      }

+      // don't return *unknown error from the peer* if the user is admin
+      if (error.toJsonRpcError === undefined && context?.user.permission === 'admin') {
+        throw new JsonRpcError(error.message, undefined, serializeError(serializedError))
+      }
+
      throw error
    }
  }