Merge pull request #6139 from Shopify/handle_access_denied_file_upload

Handle access denied file upload error

Author: szluzero

packages/store/src/services/store/errors/errors.test.ts

@@ -225,4 +225,15 @@ describe('Unauthorized Error Codes', () => {
       "You are not authorized to copy data between these stores\n\nTo export data from \"source.myshopify.com\"\n• You'll need the 'bulk data > export' permission\n\nTo import data to \"target.myshopify.com\"\n• You'll need the 'bulk data > import' permission",
     )
   })
+
+  test('should create STAGED_UPLOAD_ACCESS_DENIED error', () => {
+    const error = new OperationError('upload', ErrorCodes.STAGED_UPLOAD_ACCESS_DENIED)
+
+    expect(error).toBeInstanceOf(OperationError)
+    expect(error.operation).toBe('upload')
+    expect(error.code).toBe(ErrorCodes.STAGED_UPLOAD_ACCESS_DENIED)
+    expect(error.message).toBe(
+      "You don't have permission to upload files to this store.\n\nYou'll need the 'bulk data > import' permission to upload files.",
+    )
+  })
 })

packages/store/src/services/store/errors/errors.ts

@@ -30,6 +30,7 @@ export const ErrorCodes = {
   UNAUTHORIZED_IMPORT: 'UNAUTHORIZED_IMPORT',
   UNAUTHORIZED_COPY: 'UNAUTHORIZED_COPY',
   MISSING_EA_ACCESS: 'MISSING_EA_ACCESS',
+  STAGED_UPLOAD_ACCESS_DENIED: 'STAGED_UPLOAD_ACCESS_DENIED',
 } as const
 
 interface ErrorParams {
@@ -132,6 +133,8 @@ function generateErrorMessage(code: string, params?: ErrorParams, requestId?: st
       )
     case ErrorCodes.MISSING_EA_ACCESS:
       return `This command is in Early Access and is not yet available for the requested store(s).`
+    case ErrorCodes.STAGED_UPLOAD_ACCESS_DENIED:
+      return `You don't have permission to upload files to this store.\n\nYou'll need the 'bulk data > import' permission to upload files.`
 
     default:
       return 'An error occurred'

packages/store/src/services/store/utils/file-uploader.test.ts

@@ -177,5 +177,26 @@ describe('FileUploader', () => {
         params: {details: '403 Forbidden. Access denied'},
       })
     })
+
+    test('should throw staged upload access denied error when GraphQL returns ACCESS_DENIED', async () => {
+      const accessDeniedError = {
+        errors: [
+          {
+            message: 'Access denied for stagedUploadsCreate field.',
+            extensions: {
+              code: 'ACCESS_DENIED',
+            },
+          },
+        ],
+      }
+      vi.mocked(createStagedUploadAdmin).mockRejectedValue(accessDeniedError)
+
+      const promise = fileUploader.uploadSqliteFile(mockFilePath, mockStoreFqdn)
+      await expect(promise).rejects.toThrow(OperationError)
+      await expect(promise).rejects.toMatchObject({
+        operation: 'upload',
+        code: ErrorCodes.STAGED_UPLOAD_ACCESS_DENIED,
+      })
+    })
   })
 })

packages/store/src/services/store/utils/file-uploader.ts

@@ -21,7 +21,15 @@ export class FileUploader {
       fileSize: sizeOfFile.toString(),
     }
 
-    const stagedUploadResponse = await createStagedUploadAdmin(storeFqdn, [uploadInput], 'unstable')
+    let stagedUploadResponse
+    try {
+      stagedUploadResponse = await createStagedUploadAdmin(storeFqdn, [uploadInput], 'unstable')
+    } catch (error) {
+      if (this.isAccessDeniedError(error)) {
+        throw new OperationError('upload', ErrorCodes.STAGED_UPLOAD_ACCESS_DENIED)
+      }
+      throw error
+    }
 
     if (!stagedUploadResponse.stagedUploadsCreate?.stagedTargets?.length) {
       throw new OperationError('upload', ErrorCodes.STAGED_UPLOAD_FAILED, {
@@ -76,6 +84,11 @@ export class FileUploader {
     return finalResourceUrl
   }
 
+  private isAccessDeniedError(error: unknown): boolean {
+    const errors = (error as {errors?: {extensions?: {code?: string}}[]})?.errors
+    return errors?.some((err) => err.extensions?.code === 'ACCESS_DENIED') ?? false
+  }
+
   private async validateSqliteFile(filePath: string): Promise<void> {
     try {
       if (!fileExistsSync(filePath)) {