getCollectionInfoAndCheckPermission returns collectionId for non-existent and disabled collections

[cd-rite]

getCollectionInfoAndCheckPermission is intended to throw a privilege error if user does not have the specified minimum grant for the requested CollectionId, and returns the collectionId and corresponding grant if they do.

When invoked with elevate=true with a non-existent or disabled collectionId, it returns the collectionId and a grant of "undefined" which allows the request to continue being processed in most cases.

In practice, responses will not have any content, but we should probably short-circuit here and throw a 404 instead of the usual 403 privilege error. However, this currently breaks some tests.

stig-manager/api/source/controllers/Collection.js

Lines 344 to 353 in 9919996

	function getCollectionInfoAndCheckPermission(request, minimumAccessLevel = Security.ACCESS_LEVEL.Manage, supportsElevation = false) {
	let collectionId = request.params.collectionId
	const elevate = request.query.elevate
	const collectionGrant = request.userObject.collectionGrants.find( g => g.collection.collectionId === collectionId )
	// If elevate is not set and supported, and the user does not have a grant, or the grant level is below the minimum required, throw an error.
	if (!( (supportsElevation && elevate) || (collectionGrant?.accessLevel >= minimumAccessLevel) )) {
	throw new SmError.PrivilegeError()
	}
	return {collectionId, collectionGrant}
	}