Disambiguate 401 and 403 when accessing /projects (#719)

Previously, Editor-API would return a `403` error for any project access
that failed, including accesses that should have received a `401
Unauthorized` error.

This change checks the state of `current_user` to decide whether to
return `401` or `403`. This will then allow client applications like
Experience CS to properly route the user to either log in and retry or
present an error page with explanations as to why the `403` occurred.

## Status

- Related to RaspberryPiFoundation/experience-cs#1890

## Points for consideration:

- Security
- It may appear as if this change now leaks the existence of a given
project identifier to an unauthenticated user but they were being leaked
anyway. Some APIs return 404 to unauthenticated users accessing specific
record endpoints in order to prevent identifier enumeration, but
editor-api never did this anyway.

## What's changed?

- Modification to `api_controller.rb#denied` to:
- render `status: :forbidden` when the user is logged in but denied
access
- rebder `status: :unauthorized` when the user is NOT logged in and
denied access.
 
Previously, both conditions would render `:forbidden`.

## Steps to perform after deploying to production

Nothing required.

No changes are required in `editor-ui` either as 401 and 403 are
[already handled
identically](https://github.com/RaspberryPiFoundation/editor-ui/blob/eed2940b52f6e1d75e0f0c0bd8b2e36561ec2999/src/redux/reducers/loadProjectReducers.js#L40)
in `loadProjectReducers.js` in that codebase.

Author: fspeirs

app/controllers/api_controller.rb

@@ -23,8 +23,12 @@ def authorize_user
     render json: { error: 'Unauthorized' }, status: :unauthorized unless current_user
   end
 
-  def denied(exception)
-    render_error_as_json(exception, :forbidden)
+  def denied(_exception)
+    if current_user
+      render json: { error: 'Forbidden' }, status: :forbidden
+    else
+      render json: { error: 'Unauthorized' }, status: :unauthorized
+    end
   end
 
   def not_found(exception)

spec/requests/api_controller_spec.rb

@@ -76,18 +76,40 @@ def index
       test_controller.error = CanCan::AccessDenied.new('foo')
     end
 
-    it 'responds with 403 Forbidden status code' do
-      get '/test'
+    context 'when current_user is not set' do
+      it 'responds with 401 Unauthorized status code' do
+        get '/test'
+
+        expect(response).to have_http_status(:unauthorized)
+      end
+
+      it 'responds with JSON including error message' do
+        get '/test'
 
-      expect(response).to have_http_status(:forbidden)
+        expect(response.parsed_body).to include(
+          'error' => 'Unauthorized'
+        )
+      end
     end
 
-    it 'responds with JSON including exception class & message' do
-      get '/test'
+    context 'when current_user is set' do
+      before do
+        allow(User).to receive(:from_token).and_return(User.new)
+      end
 
-      expect(response.parsed_body).to include(
-        'error' => 'CanCan::AccessDenied: foo'
-      )
+      it 'responds with 403 Forbidden status code' do
+        get '/test', headers: { 'Authorization' => 'secret' }
+
+        expect(response).to have_http_status(:forbidden)
+      end
+
+      it 'responds with JSON including error message' do
+        get '/test', headers: { 'Authorization' => 'secret' }
+
+        expect(response.parsed_body).to include(
+          'error' => 'Forbidden'
+        )
+      end
     end
   end
 

spec/requests/projects/show_spec.rb

@@ -254,10 +254,10 @@
         }.to_json
       end
 
-      it 'returns forbidden response' do
+      it 'returns unauthorized response' do
         get("/api/projects/#{project.identifier}", headers:)
 
-        expect(response).to have_http_status(:forbidden)
+        expect(response).to have_http_status(:unauthorized)
       end
 
       it 'does not return the project json' do