From e3ab0a4e3ddb4b1bfacd2b82073c4a48e58751d6 Mon Sep 17 00:00:00 2001
From: =Corey Hulen <corey@hulen.com>
Date: Mon, 6 Jul 2015 11:20:40 -0800
Subject: team code review

---
 api/context.go |  1 +
 api/user.go    | 11 ++++++-----
 2 files changed, 7 insertions(+), 5 deletions(-)

(limited to 'api')

diff --git a/api/context.go b/api/context.go
index 501e4e77f..bea0fbeff 100644
--- a/api/context.go
+++ b/api/context.go
@@ -84,6 +84,7 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		if forwardProto == "http" {
 			l4g.Info("redirecting http request to https for %v", r.URL.Path)
 			http.Redirect(w, r, "https://"+r.Host, http.StatusTemporaryRedirect)
+			return
 		} else {
 			protocol = "https"
 		}
diff --git a/api/user.go b/api/user.go
index 292d2b61b..da6a24ab4 100644
--- a/api/user.go
+++ b/api/user.go
@@ -289,7 +289,7 @@ func login(c *Context, w http.ResponseWriter, r *http.Request) {
 	if !model.ComparePassword(user.Password, props["password"]) {
 		c.LogAuditWithUserId(user.Id, "fail")
 		c.Err = model.NewAppError("login", "Login failed because of invalid password", extraInfo)
-		c.Err.StatusCode = http.StatusBadRequest
+		c.Err.StatusCode = http.StatusForbidden
 		return
 	}
 
@@ -417,7 +417,7 @@ func getSessions(c *Context, w http.ResponseWriter, r *http.Request) {
 	params := mux.Vars(r)
 	id := params["id"]
 
-	if !c.HasPermissionsToUser(id, "getAudits") {
+	if !c.HasPermissionsToUser(id, "getSessions") {
 		return
 	}
 
@@ -740,7 +740,7 @@ func updateUser(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if !c.HasPermissionsToUser(user.Id, "updateUsers") {
+	if !c.HasPermissionsToUser(user.Id, "updateUser") {
 		return
 	}
 
@@ -813,12 +813,13 @@ func updatePassword(c *Context, w http.ResponseWriter, r *http.Request) {
 
 	if !model.ComparePassword(user.Password, currentPassword) {
 		c.Err = model.NewAppError("updatePassword", "Update password failed because of invalid password", "")
-		c.Err.StatusCode = http.StatusBadRequest
+		c.Err.StatusCode = http.StatusForbidden
 		return
 	}
 
 	if uresult := <-Srv.Store.User().UpdatePassword(c.Session.UserId, model.HashPassword(newPassword)); uresult.Err != nil {
-		c.Err = uresult.Err
+		c.Err = model.NewAppError("updatePassword", "Update password failed", uresult.Err.Error())
+		c.Err.StatusCode = http.StatusForbidden
 		return
 	} else {
 		c.LogAudit("completed")
-- 
cgit v1.2.3-1-g7c22