From b60617b849dddfb48d17e5de58a8bdaaac30343b Mon Sep 17 00:00:00 2001
From: Franz Liedke <franz@develophp.org>
Date: Wed, 21 Aug 2019 23:46:00 +0200
Subject: [PATCH] Move authentication check into assertCan() method

This will cause the right error (HTTP 401) to be thrown whenever
we're checking for a specific permission, but the user is not even
logged in. Authenticated users will still get HTTP 403.
---
 src/Api/Controller/ListUsersController.php | 1 -
 src/Group/Command/CreateGroupHandler.php   | 1 -
 src/User/AssertPermissionTrait.php         | 8 ++++++++
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/Api/Controller/ListUsersController.php b/src/Api/Controller/ListUsersController.php
index b10ed17a4..85d7bfa26 100644
--- a/src/Api/Controller/ListUsersController.php
+++ b/src/Api/Controller/ListUsersController.php
@@ -72,7 +72,6 @@ class ListUsersController extends AbstractListController
     {
         $actor = $request->getAttribute('actor');
 
-        $this->assertRegistered($actor);
         $this->assertCan($actor, 'viewUserList');
 
         $query = Arr::get($this->extractFilter($request), 'q');
diff --git a/src/Group/Command/CreateGroupHandler.php b/src/Group/Command/CreateGroupHandler.php
index 8a000679e..036443213 100644
--- a/src/Group/Command/CreateGroupHandler.php
+++ b/src/Group/Command/CreateGroupHandler.php
@@ -49,7 +49,6 @@ class CreateGroupHandler
         $actor = $command->actor;
         $data = $command->data;
 
-        $this->assertRegistered($actor);
         $this->assertCan($actor, 'createGroup');
 
         $group = Group::build(
diff --git a/src/User/AssertPermissionTrait.php b/src/User/AssertPermissionTrait.php
index d3e1ad709..dee93957c 100644
--- a/src/User/AssertPermissionTrait.php
+++ b/src/User/AssertPermissionTrait.php
@@ -55,15 +55,23 @@ trait AssertPermissionTrait
      * @param User $actor
      * @param string $ability
      * @param mixed $arguments
+     * @throws NotAuthenticatedException
      * @throws PermissionDeniedException
      */
     protected function assertCan(User $actor, $ability, $arguments = [])
     {
+        // For non-authenticated users, we throw a different exception to signal
+        // that logging in may help.
+        $this->assertRegistered($actor);
+
+        // If we're logged in, then we need to communicate that the current
+        // account simply does not have enough permissions.
         $this->assertPermission($actor->can($ability, $arguments));
     }
 
     /**
      * @param User $actor
+     * @throws NotAuthenticatedException
      * @throws PermissionDeniedException
      */
     protected function assertAdmin(User $actor)