From dd5e11e8357653ba707cccdf654b79cc8888a6f2 Mon Sep 17 00:00:00 2001
From: Julien Fontanet <julien.fontanet@isonoe.net>
Date: Tue, 7 Jun 2022 13:34:34 +0200
Subject: [PATCH] feat(xo-server/api): don't filters error sent to admin users
 (#6262)

Previous behavior was hiding all errors not explicitly dedicated to be sent to API users and replacing them with an *unknown error from the peer*.

This was done to avoid leaking sensitive information, but it often hides important info.

Administrators can already see the raw errors in Settings/Logs, therefore it makes sense to not hide them for these users.
---
 CHANGELOG.unreleased.md                  | 2 ++
 packages/xo-server/src/xo-mixins/api.mjs | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/CHANGELOG.unreleased.md b/CHANGELOG.unreleased.md
index 355926e42..973905bdc 100644
--- a/CHANGELOG.unreleased.md
+++ b/CHANGELOG.unreleased.md
@@ -7,6 +7,8 @@
 
 > Users must be able to say: “Nice enhancement, I'm eager to test it”
 
+- Show raw errors to administrators instead of _unknown error from the peer_ (PR [#6260](https://github.com/vatesfr/xen-orchestra/pull/6260))
+
 ### Bug fixes
 
 > Users must be able to say: “I had this issue, happy to know it's fixed”
diff --git a/packages/xo-server/src/xo-mixins/api.mjs b/packages/xo-server/src/xo-mixins/api.mjs
index ff6cb3add..31c0e79fe 100644
--- a/packages/xo-server/src/xo-mixins/api.mjs
+++ b/packages/xo-server/src/xo-mixins/api.mjs
@@ -383,6 +383,11 @@ export default class Api {
         })
       }
 
+      // don't return *unknown error from the peer* if the user is admin
+      if (error.toJsonRpcError === undefined && context?.user.permission === 'admin') {
+        throw new JsonRpcError(error.message, undefined, serializeError(serializedError))
+      }
+
       throw error
     }
   }