Getting internal server error instead of Forbidden

System Information
  • Strapi Version: 4.3.2
  • Operating System: Windows 10
  • Database: PostgreSQL
  • Node Version: 16.13.1
  • NPM Version: 8.1.2
  • Yarn Version: 1.22.17


I’ve encountered a problem with the users-permissions plugin when handling requests made to controllers without an appropriate role.
Basically, if you make a request to a controller as a user to an endpoint for which the user doesn’t have the required role, rather than the request returning a 403 Forbidden response, we get a 500 internal server error response.
Meanwhile, in the strapi console it shows that the application threw a ForbiddenError.

I drilled down into the source code a bit and I found that in @strapi/strapi/lib/services/server/compose-endpoint.js there is logic that should catch this error (can’t post a screenshot of the code as I can only provide one image per post :confused: ). However after doing some testing, it seems like Javascript doesn’t see the error object as an instance of ForbiddenError here (both checks return false), but rather sees it as the grand-parent class Error.
Is this a Strapi bug or does this only happen on our version of Strapi for some reason?
If it is a bug, how should I work around this to get proper 403 responses? I figure I have to implement new policies, but it looks like this check happens before the global policies kick in and so the request doesn’t reach the custom global policy I create.
Help would be much appreciated.

Here’s the check in compose-endpoint.js

Please make sure you upgrade to the latest Strapi version to prevent any unintended bugs etc.

Updating to all strapi dependency versions to 4.3.6 seems to have worked.
This is embarrassing :sweat_smile:
Thanks for the help!

Not a problem glad it helped :grinning_face_with_smiling_eyes: