i've connected node-red to an OIDC provider and assign permissions by mapping roles to the username. I have two roles: flow-admin and flow-designer. They only differ in the capability of reading and writing one particular library.
As the library has no access (as far as i found out) to user, session, request or response objects i need to handle the library permission in settings.httpAdminMiddleware.
I get the library from req.url, the current token from req.rawHeaders, sessions from the storage class and the method from req.method. For reading i can terminate by writing an empty object as json with res.write and res.status(200).end(). That all works as expected.
To deny write access i would like to terminate with an "Permission denied" message and a status code of 400 to let the frontend show the message - just like the core when the library has no saveEntry method. But when i quit with res.status(400).end() the response on the client is still 200 and the frontend displays a successful write message.
Any hint is appreciated!
Thanks and regards,