Address PR feedback - isSuperUser check

x-pack/plugins/enterprise_search/server/lib/check_access.test.ts

@@ -22,6 +22,11 @@ describe('checkAccess', () => {
  hasAllRequested: false,
  }),
  }),
+ actions: {
+ ui: {
+ get: () => null,
+ },
+ },
  },
  };
  const mockDependencies = {
@@ -60,19 +65,30 @@ describe('checkAccess', () => {
  });
  });
 
- it("falls back to assuming a non-superuser role if a user's roles cannot be accessed", async () => {
+ it('falls back to assuming a non-superuser role if auth credentials are missing', async () => {
  const security = {
- ...mockSecurity,
  authz: {
- mode: { useRbacForRequest: () => true },
- checkPrivilegesWithRequest: undefined,
+ ...mockSecurity.authz,
+ checkPrivilegesWithRequest: () => ({
+ globally: () => Promise.reject({ statusCode: 403 }),
+ }),
  },
  };
  expect(await checkAccess({ ...mockDependencies, security })).toEqual({
  hasAppSearchAccess: false,
  hasWorkplaceSearchAccess: false,
  });
  });
+
+ it('throws other authz errors', async () => {
+ const security = {
+ authz: {
+ ...mockSecurity.authz,
+ checkPrivilegesWithRequest: undefined,
+ },
+ };
+ await expect(checkAccess({ ...mockDependencies, security })).rejects.toThrow();
+ });
  });
 
  describe('when the user is a non-superuser', () => {

x-pack/plugins/enterprise_search/server/lib/check_access.ts

@@ -54,7 +54,10 @@ export const checkAccess = async ({
  .globally(security.authz.actions.ui.get('enterprise_search', 'app_search'));
  return hasAllRequested;
  } catch (err) {
- return false;
+ if (err.statusCode === 401 || err.statusCode === 403) {
+ return false;
+ }
+ throw err;
  }
  };
  if (await isSuperUser()) {