Use 403 forbidden on shifts json, atom export and ical export

1 files changed, 9 insertions, 7 deletions

diff --git a/includes/controller/shifts_controller.php b/includes/controller/shifts_controller.php
index caf124ba..726814cf 100644
--- a/includes/controller/shifts_controller.php
+++ b/includes/controller/shifts_controller.php
@@ -1,5 +1,6 @@
 <?php
 
+use Engelsystem\Http\Exceptions\HttpForbidden;
 use Engelsystem\ShiftSignupState;
 
 /**
@@ -348,17 +349,18 @@ function shift_next_controller()
 function shifts_json_export_controller()
 {
     $request = request();
+    $user = auth()->apiUser('key');
 
-    if (!$request->has('key') || !preg_match('/^[\da-f]{32}$/', $request->input('key'))) {
-        engelsystem_error('Missing key.');
+    if (
+        !$request->has('key')
+        || !preg_match('/^[\da-f]{32}$/', $request->input('key'))
+        || !$user
+    ) {
+        throw new HttpForbidden('{"error":"Missing or invalid key"}', ['content-type' => 'application/json']);
     }
 
-    $user = auth()->apiUser('key');
-    if (!$user) {
-        engelsystem_error('Key invalid.');
-    }
     if (!auth()->can('shifts_json_export')) {
-        engelsystem_error('No privilege for shifts_json_export.');
+        throw new HttpForbidden('{"error":"Not allowed"}', ['content-type' => 'application/json']);
     }
 
     $shifts = load_ical_shifts();