Internal server error instead of 403 Forbidden

System Information
  • Strapi Version: 4.3.2
  • Operating System: Windows 10
  • Database: PostgreSQL
  • Node Version: 16.13.1
  • NPM Version: 8.1.2
  • Yarn Version: 1.22.17


I’ve encountered a problem with the users-permissions plugin when handling requests made to controllers without an appropriate role.
Basically, if you make a request to a controller as a user to an endpoint for which the user doesn’t have the required role, rather than the request returning a 403 Forbidden response, we get a 500 internal server error response.
Meanwhile, in the strapi console it shows that the application threw a ForbiddenError.

I drilled down into the source code a bit and I found that in @strapi/strapi/lib/services/server/compose-endpoint.js there is logic that should catch this error (can’t post a screenshot of the code as I can only provide one image per post :confused: ). However after doing some testing, it seems like Javascript doesn’t see the error object as an instance of ForbiddenError here (both checks return false), but rather sees it as the grand-parent class Error.
Is this a Strapi bug or does this only happen on our version of Strapi for some reason?
If it is a bug, how should I work around this to get proper 403 responses? I figure I have to implement new policies, but it looks like this check happens before the global policies kick in and so the request doesn’t reach the custom global policy I create.
Help would be much appreciated.

Here is the check in compose-endpoint.js

1 Like

Received a reply in another thread I posted to try updating my strapi version. At the time of writing it was 4.3.6. After updating the version for all strapi dependencies, running yarn install and yarn build, getting the proper 403 error now.