From bc1bcf6e8d3ce96c946de1086a778f2dfd84330e Mon Sep 17 00:00:00 2001
From: aarbit <aarbit@gmail.com>
Date: Thu, 14 May 2026 22:46:26 -0500
Subject: [PATCH] Makes forbidden actions have clearer responses

---
 .../error/exception/ForbiddenException.kt     |  2 +-
 .../scavengerhuntapi/service/PhotoService.kt  | 20 ++++++++++++++-----
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/src/main/kotlin/net/halfbinary/scavengerhuntapi/error/exception/ForbiddenException.kt b/src/main/kotlin/net/halfbinary/scavengerhuntapi/error/exception/ForbiddenException.kt
index 14fec32..de9bac5 100644
--- a/src/main/kotlin/net/halfbinary/scavengerhuntapi/error/exception/ForbiddenException.kt
+++ b/src/main/kotlin/net/halfbinary/scavengerhuntapi/error/exception/ForbiddenException.kt
@@ -1,3 +1,3 @@
 package net.halfbinary.scavengerhuntapi.error.exception
 
-class ForbiddenException(override val message: String): RuntimeException(message)
+class ForbiddenException: RuntimeException("Access Denied.")
diff --git a/src/main/kotlin/net/halfbinary/scavengerhuntapi/service/PhotoService.kt b/src/main/kotlin/net/halfbinary/scavengerhuntapi/service/PhotoService.kt
index 3cabbb6..e9d2518 100644
--- a/src/main/kotlin/net/halfbinary/scavengerhuntapi/service/PhotoService.kt
+++ b/src/main/kotlin/net/halfbinary/scavengerhuntapi/service/PhotoService.kt
@@ -72,8 +72,12 @@ class PhotoService(
             ?: throw NotFoundException("Photo not found")
 
         if (!requestingHunter.isAdmin) {
-            val team = teamService.getTeamForHunterInHunt(huntId, email)
-            if (team.id != teamId) throw ForbiddenException("Access denied")
+            val team = try {
+                teamService.getTeamForHunterInHunt(huntId, email)
+            } catch (_: NotFoundException) {
+                throw ForbiddenException()
+            }
+            if (team.id != teamId) throw ForbiddenException()
         }
 
         val submitter = hunterService.getHunterById(photoRecord.hunterId)
@@ -87,9 +91,15 @@ class PhotoService(
 
         if (!requestingHunter.isAdmin) {
             val submitter = hunterService.getHunterById(photoRecord.hunterId)
-            val requestingTeam = teamService.getTeamForHunterInHunt(photoRecord.huntId, requestingHunter.email)
-            val submitterTeam = teamService.getTeamForHunterInHunt(photoRecord.huntId, submitter.email)
-            if (requestingTeam.id != submitterTeam.id) throw ForbiddenException("Access denied")
+            try {
+                val requestingTeam =
+                    teamService.getTeamForHunterInHunt(photoRecord.huntId, requestingHunter.email)
+                val submitterTeam =
+                    teamService.getTeamForHunterInHunt(photoRecord.huntId, submitter.email)
+                if (requestingTeam.id != submitterTeam.id) throw ForbiddenException()
+            } catch (_: NotFoundException) {
+                throw ForbiddenException()
+            }
         }
 
         val key = when (version) {