fix: Add 403 response for admin pages

Signed-off-by: provokateurin <[email protected]>

Author: provokateurin

generate-spec.php

@@ -573,6 +573,7 @@
 				$isCORS,
 				$isNoCSRFRequired,
 				$isPublic,
+				$isAdmin,
 			);
 		}
 
@@ -757,26 +758,35 @@
 			// Add empty authentication, meaning that it's optional. We can't know if there is a difference in behaviour for authenticated vs. unauthenticated access on public pages (e.g. capabilities)
 			$security[] = new stdClass();
 		} else {
-			$mergedResponses[401] ??= [
-				'description' => 'Current user is not logged in',
-				'content' => [
-					'application/json' => [
-						'schema' => $route->isOCS
-							? Helpers::wrapOCSResponse(new stdClass())
-							: [
-								'type' => 'object',
-								'required' => [
-									'message',
-								],
-								'properties' => [
-									'message' => [
-										'type' => 'string',
-									],
+			$content = [
+				'application/json' => [
+					'schema' => $route->isOCS
+						? Helpers::wrapOCSResponse(new stdClass())
+						: [
+							'type' => 'object',
+							'required' => [
+								'message',
+							],
+							'properties' => [
+								'message' => [
+									'type' => 'string',
 								],
 							],
-					],
+						],
 				],
 			];
+
+			$mergedResponses[401] ??= [
+				'description' => 'Current user is not logged in',
+				'content' => $content,
+			];
+
+			if ($route->isAdmin) {
+				$mergedResponses[403] ??= [
+					'description' => 'Logged in account must be an admin',
+					'content' => $content,
+				];
+			}
 		}
 		if (!$route->isCORS) {
 			// Bearer auth is not allowed on CORS routes

src/Route.php

@@ -21,6 +21,7 @@ public function __construct(
 		public bool $isCORS,
 		public bool $isNoCSRFRequired,
 		public bool $isPublic,
+		public bool $isAdmin,
 	) {
 	}