From 4c373cfe68c54f819117e278ca95bb1976b11895 Mon Sep 17 00:00:00 2001
From: Sarah Funkhouser <147884153+golanglemonade@users.noreply.github.com>
Date: Thu, 14 Nov 2024 13:00:03 -0700
Subject: [PATCH] return a better error when mutation access is not allowed
 (#68)

Signed-off-by: Sarah Funkhouser <147884153+golanglemonade@users.noreply.github.com>
---
 entfga/templates/authzChecks.tmpl | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/entfga/templates/authzChecks.tmpl b/entfga/templates/authzChecks.tmpl
index 60d466a..4949707 100644
--- a/entfga/templates/authzChecks.tmpl
+++ b/entfga/templates/authzChecks.tmpl
@@ -11,6 +11,10 @@ import (
     "github.com/theopenlane/iam/auth"
 )
 
+var (
+	ErrPermissionDenied = errors.New("you are not authorized to perform this action")
+)
+
 {{- $nodes := .Graph.Nodes }}
 
 {{- range $n := $nodes }}
@@ -190,8 +194,8 @@ import (
             return privacy.Allow
         }
 
-        // deny if it was a mutation is not allowed
-        return privacy.Deny
+        // return error if the action is not allowed
+        return ErrPermissionDenied
     }
 
     func (m *{{ $mutator }}) CheckAccessForDelete(ctx context.Context) error {
@@ -230,8 +234,8 @@ import (
             return privacy.Allow
         }
 
-        // deny if it was a mutation is not allowed
-        return privacy.Deny
+        // return error if the action is not allowed
+        return ErrPermissionDenied
     }
     {{- end }}
     {{- end }}