fix: return 403 if user can't disable the space due to permissions

services/graph/pkg/service/v0/drives.go

@@ -425,7 +425,7 @@
 	if resp.GetStatus().GetCode() != cs3rpc.Code_CODE_OK {
 		if resp.GetStatus().GetCode() == cs3rpc.Code_CODE_PERMISSION_DENIED {
 			logger.Debug().Str("grpcmessage", resp.GetStatus().GetMessage()).Msg("could not create drive: permission denied")
-			errorcode.NotAllowed.Render(w, r, http.StatusForbidden, "permission denied")
+			errorcode.AccessDenied.Render(w, r, http.StatusForbidden, "permission denied")
 			return
 		}
 		if resp.GetStatus().GetCode() == cs3rpc.Code_CODE_INVALID_ARGUMENT {
@@ -603,7 +603,7 @@
 			return
 		case cs3rpc.Code_CODE_PERMISSION_DENIED:
 			logger.Debug().Interface("id", rid).Msg("could not update drive, permission denied")
-			errorcode.ItemNotFound.Render(w, r, http.StatusNotFound, "drive not found")
+			errorcode.AccessDenied.Render(w, r, http.StatusForbidden, "permission denied")
 			return
 		case cs3rpc.Code_CODE_INVALID_ARGUMENT:
 			logger.Debug().Interface("id", rid).Msg("could not update drive, invalid argument")
@@ -1090,7 +1090,7 @@
 		return
 	case cs3rpc.Code_CODE_PERMISSION_DENIED:
 		logger.Debug().Interface("id", rid).Msg("could not delete drive: permission denied")
-		errorcode.ItemNotFound.Render(w, r, http.StatusNotFound, "drive not found")
+		errorcode.AccessDenied.Render(w, r, http.StatusForbidden, "permission denied")
 		return
 	case cs3rpc.Code_CODE_NOT_FOUND:
 		logger.Debug().Interface("id", rid).Msg("could not delete drive: drive not found")

services/graph/pkg/service/v0/graph_test.go

@@ -657,7 +657,7 @@ var _ = Describe("Graph", func() {
 				err := json.Unmarshal(body, &libreError)
 				Expect(err).To(Not(HaveOccurred()))
 				Expect(libreError.Error.Message).To(Equal("permission denied"))
-				Expect(libreError.Error.Code).To(Equal(errorcode.NotAllowed.String()))
+				Expect(libreError.Error.Code).To(Equal(errorcode.AccessDenied.String()))
 			})
 			It("grpc general error", func() {
 				permissionService.On("GetPermissionByID", mock.Anything, mock.Anything).Return(&settingssvc.GetPermissionByIDResponse{

tests/acceptance/features/apiSpaces/changeSpaces.feature

@@ -51,7 +51,7 @@ Feature: Change data of space
 
   Scenario Outline: user other than space manager role can't change the name of a Space via the Graph API
     When user "<user>" changes the name of the "Project Jupiter" space to "Project Jupiter"
-    Then the HTTP status code should be "404"
+    Then the HTTP status code should be "403"
     Examples:
       | user  |
       | Brian |
@@ -90,7 +90,7 @@ Feature: Change data of space
 
   Scenario Outline: viewer and editor cannot change the description(subtitle) of a space via the Graph API
     When user "<user>" changes the description of the "Project Jupiter" space to "The Death Star is a fictional mobile space station"
-    Then the HTTP status code should be "404"
+    Then the HTTP status code should be "403"
     Examples:
       | user  |
       | Brian |
@@ -335,7 +335,7 @@ Feature: Change data of space
     Given user "Alice" has created a folder ".space" in space "Project Jupiter"
     And user "Alice" has uploaded a file inside space "Project Jupiter" with content "" to ".space/someImageFile.jpg"
     When user "Bob" sets the file ".space/someImageFile.jpg" as a space image in a special section of the "Project Jupiter" space
-    Then the HTTP status code should be "404"
+    Then the HTTP status code should be "403"
 
 
   Scenario Outline: user set new readme file as description of the space via the graph API
@@ -597,4 +597,4 @@ Feature: Change data of space
     Examples:
       | role                          |
       | Space Editor Without Versions |
-      | Space Editor                  |
+      | Space Editor                  |

tests/acceptance/features/apiSpaces/disableAndDeleteSpaces.feature

@@ -125,7 +125,7 @@ Feature: Disabling and deleting space
     Given the administrator has assigned the role "<user-role>" to user "Carol" using the Graph API
     And user "Alice" has disabled a space "Project Moon"
     When user "Carol" tries to delete a space "Project Moon" owned by user "Alice"
-    Then the HTTP status code should be "404"
+    Then the HTTP status code should be "403"
     Examples:
       | user-role  |
       | User       |
@@ -134,7 +134,7 @@ Feature: Disabling and deleting space
 
   Scenario Outline: viewer and space editor cannot disable space
     When user "<user>" tries to disable a space "Project Moon" owned by user "Alice"
-    Then the HTTP status code should be "404"
+    Then the HTTP status code should be "403"
     And the user "<user>" should have a space called "Project Moon"
     Examples:
       | user  |
@@ -145,7 +145,7 @@ Feature: Disabling and deleting space
   Scenario Outline: viewer and space editor cannot delete disabled space
     Given user "Alice" has disabled a space "Project Moon"
     When user "<user>" tries to delete a space "Project Moon" owned by user "Alice"
-    Then the HTTP status code should be "404"
+    Then the HTTP status code should be "403"
     Examples:
       | user  |
       | Brian |

tests/acceptance/features/apiSpaces/spaceManagement.feature

@@ -109,7 +109,7 @@ Feature: Space management
 
   Scenario: user without space admin permission tries to change the name of the project space
     When user "Carol" tries to change the name of the "Project" space to "New Name" owned by user "Alice"
-    Then the HTTP status code should be "404"
+    Then the HTTP status code should be "403"
     And the user "Alice" should have a space called "Project"
 
 
@@ -136,7 +136,7 @@ Feature: Space management
   Scenario: user without space admin permission tries to change the description of the project space
     Given user "Alice" has changed the description of the "Project" space to "old description"
     When user "Carol" tries to change the description of the "Project" space to "New description" owned by user "Alice"
-    Then the HTTP status code should be "404"
+    Then the HTTP status code should be "403"
 
 
   Scenario: space admin user disables the project space
@@ -151,12 +151,8 @@ Feature: Space management
 
 
   Scenario Outline: space admin user tries to disable the personal space
-    When user "<user>" disables a space "Alice Hansen" owned by user "Alice"
-    Then the HTTP status code should be "404"
-    Examples:
-      | user  |
-      | Brian |
-      | Carol |
+    When user "Brian" disables a space "Alice Hansen" owned by user "Alice"
+    Then the HTTP status code should be "403"
 
 
   Scenario: space admin user deletes the project space
@@ -169,7 +165,7 @@ Feature: Space management
   Scenario: user without space admin permission tries to delete the project space
     Given user "Alice" has disabled a space "Project"
     When user "Carol" tries to delete a space "Project" owned by user "Alice"
-    Then the HTTP status code should be "404"
+    Then the HTTP status code should be "403"
 
 
   Scenario: space admin user enables the project space