From 668f4d59790c1f87bf83ee3759adab95348b7723 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Sun, 13 Dec 2020 12:40:50 -0500
Subject: [PATCH] Fix fleet route protections (#85626)

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
---
 x-pack/plugins/fleet/server/routes/security.ts | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/x-pack/plugins/fleet/server/routes/security.ts b/x-pack/plugins/fleet/server/routes/security.ts
index c2348c313e583..ec89668111860 100644
--- a/x-pack/plugins/fleet/server/routes/security.ts
+++ b/x-pack/plugins/fleet/server/routes/security.ts
@@ -14,7 +14,12 @@ export function enforceSuperUser<T1, T2, T3>(
     const security = appContextService.getSecurity();
     const user = security.authc.getCurrentUser(req);
     if (!user) {
-      return res.unauthorized();
+      return res.forbidden({
+        body: {
+          message:
+            'Access to Fleet API require the superuser role, and for stack security features to be enabled.',
+        },
+      });
     }
 
     const userRoles = user.roles || [];