Improve publish permission error message to show available permissions (#417)

domdomegg · web-flow · commit 1236f3732d5d · 2025-09-10T12:28:22.000-07:00
## Summary The permission error now displays what namespaces the user has permission to publish and what namespace they attempted to publish. This helps users debug permission mismatches more easily. Helps mitigate #398 to enable us to figure out what's going on
diff --git a/internal/api/handlers/v0/publish.go b/internal/api/handlers/v0/publish.go
@@ -50,7 +50,7 @@ func RegisterPublishEndpoint(api huma.API, registry service.RegistryService, cfg
 
 		// Verify that the token has permission to publish the server
 		if !jwtManager.HasPermission(input.Body.Name, auth.PermissionActionPublish, claims.Permissions) {
-			return nil, huma.Error403Forbidden("You do not have permission to publish this server")
+			return nil, huma.Error403Forbidden(buildPermissionErrorMessage(input.Body.Name, claims.Permissions))
 		}
 
 		// Publish the server with extensions
@@ -65,3 +65,24 @@ func RegisterPublishEndpoint(api huma.API, registry service.RegistryService, cfg
 		}, nil
 	})
 }
+
+// buildPermissionErrorMessage creates a detailed error message showing what permissions
+// the user has and what they're trying to publish
+func buildPermissionErrorMessage(attemptedResource string, permissions []auth.Permission) string {
+	var permissionStrs []string
+	for _, perm := range permissions {
+		if perm.Action == auth.PermissionActionPublish {
+			permissionStrs = append(permissionStrs, perm.ResourcePattern)
+		}
+	}
+	
+	errorMsg := "You do not have permission to publish this server"
+	if len(permissionStrs) > 0 {
+		errorMsg += ". You have permission to publish: " + strings.Join(permissionStrs, ", ")
+	} else {
+		errorMsg += ". You do not have any publish permissions"
+	}
+	errorMsg += ". Attempting to publish: " + attemptedResource
+	
+	return errorMsg
+}
