- Strapi Version: 4.3.2
- Operating System: Windows 10
- Database: PostgreSQL
- Node Version: 16.13.1
- NPM Version: 8.1.2
- Yarn Version: 1.22.17
I’ve encountered a problem with the users-permissions plugin when handling requests made to controllers without an appropriate role.
Basically, if you make a request to a controller as a user to an endpoint for which the user doesn’t have the required role, rather than the request returning a 403 Forbidden response, we get a 500 internal server error response.
Meanwhile, in the strapi console it shows that the application threw a ForbiddenError.
Is this a Strapi bug or does this only happen on our version of Strapi for some reason?
If it is a bug, how should I work around this to get proper 403 responses? I figure I have to implement new policies, but it looks like this check happens before the global policies kick in and so the request doesn’t reach the custom global policy I create.
Help would be much appreciated.