From 9e897bcfdaad2f0c00d026d635de34d0a39abb8a Mon Sep 17 00:00:00 2001
From: Konstantin Tsabolov <ktsabolov@gmail.com>
Date: Thu, 10 May 2018 19:36:15 +0200
Subject: [PATCH] Return HTTP 403 if user is not allowed to perform an
 operation

---
 .../config/policies/permissions.js                              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/strapi-plugin-users-permissions/config/policies/permissions.js b/packages/strapi-plugin-users-permissions/config/policies/permissions.js
index 0905e2195c..87ee1c59e0 100644
--- a/packages/strapi-plugin-users-permissions/config/policies/permissions.js
+++ b/packages/strapi-plugin-users-permissions/config/policies/permissions.js
@@ -39,7 +39,7 @@ module.exports = async (ctx, next) => {
   }, []);
 
   if (!permission) {
-    ctx.unauthorized();
+    ctx.forbidden();
 
     return ctx.request.graphql = ctx.body;
   }