From 0a3301642280ee02e2774a65aad398241949ac29 Mon Sep 17 00:00:00 2001
From: Marius <marius.marin@and.digital>
Date: Tue, 17 Feb 2026 16:14:30 +0200
Subject: [PATCH] Fix missing return statements causing security and error
 reporting issues

---
 src/main/java/uk/ac/cam/cl/dtg/isaac/api/EventsFacade.java | 4 ++--
 src/main/java/uk/ac/cam/cl/dtg/segue/api/EmailFacade.java  | 6 ++++++
 src/main/java/uk/ac/cam/cl/dtg/segue/api/GroupsFacade.java | 2 +-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/main/java/uk/ac/cam/cl/dtg/isaac/api/EventsFacade.java b/src/main/java/uk/ac/cam/cl/dtg/isaac/api/EventsFacade.java
index 82a66504f1..e33779265f 100644
--- a/src/main/java/uk/ac/cam/cl/dtg/isaac/api/EventsFacade.java
+++ b/src/main/java/uk/ac/cam/cl/dtg/isaac/api/EventsFacade.java
@@ -299,7 +299,7 @@ public final Response getEvents(@Context final HttpServletRequest request,
         if (null != currentUser) {
           findByFieldNames = getEventsBookedByUser(request, fieldsToMatch.get(TAGS_FIELDNAME), currentUser);
         } else {
-          SegueErrorResponse.getNotLoggedInResponse();
+          return SegueErrorResponse.getNotLoggedInResponse();
         }
       } else if (null != showReservationsOnly && showReservationsOnly) {
         RegisteredUserDTO currentUser = null;
@@ -311,7 +311,7 @@ public final Response getEvents(@Context final HttpServletRequest request,
         if (null != currentUser) {
           findByFieldNames = getEventsReservedByUser(request, currentUser);
         } else {
-          SegueErrorResponse.getNotLoggedInResponse();
+          return SegueErrorResponse.getNotLoggedInResponse();
         }
       } else {
         if (filterInstructions == null) {
diff --git a/src/main/java/uk/ac/cam/cl/dtg/segue/api/EmailFacade.java b/src/main/java/uk/ac/cam/cl/dtg/segue/api/EmailFacade.java
index cd5a9fe2db..5fb8ae7225 100644
--- a/src/main/java/uk/ac/cam/cl/dtg/segue/api/EmailFacade.java
+++ b/src/main/java/uk/ac/cam/cl/dtg/segue/api/EmailFacade.java
@@ -370,10 +370,12 @@ public final Response sendEmails(@Context final HttpServletRequest request,
       SegueErrorResponse error = new SegueErrorResponse(Status.BAD_REQUEST,
           "An unknown type of role was supplied.");
       log.debug(error.getErrorMessage());
+      return error.toResponse();
     } catch (ContentManagerException e) {
       SegueErrorResponse error = new SegueErrorResponse(Status.INTERNAL_SERVER_ERROR,
           "There was an error retrieving content.");
       log.debug(error.getErrorMessage());
+      return error.toResponse();
     } catch (NoUserLoggedInException e2) {
       return SegueErrorResponse.getNotLoggedInResponse();
     }
@@ -461,10 +463,12 @@ public final Response sendEmailsToUserIds(@Context final HttpServletRequest requ
       SegueErrorResponse error = new SegueErrorResponse(Status.BAD_REQUEST,
           "An unknown type of user was supplied.");
       log.debug(error.getErrorMessage());
+      return error.toResponse();
     } catch (ContentManagerException e) {
       SegueErrorResponse error = new SegueErrorResponse(Status.INTERNAL_SERVER_ERROR,
           "There was an error retrieving content.");
       log.debug(error.getErrorMessage());
+      return error.toResponse();
     } catch (NoUserLoggedInException e2) {
       return SegueErrorResponse.getNotLoggedInResponse();
     } catch (SegueResourceMisuseException e) {
@@ -565,10 +569,12 @@ public final Response sendProvidedEmailWithUserIds(@Context final HttpServletReq
       SegueErrorResponse error = new SegueErrorResponse(Status.BAD_REQUEST,
           "An unknown type of user was supplied.");
       log.debug(error.getErrorMessage());
+      return error.toResponse();
     } catch (ContentManagerException e) {
       SegueErrorResponse error = new SegueErrorResponse(Status.INTERNAL_SERVER_ERROR,
           "There was an error retrieving content.");
       log.debug(error.getErrorMessage());
+      return error.toResponse();
     } catch (NoUserLoggedInException e2) {
       return SegueErrorResponse.getNotLoggedInResponse();
     } catch (SegueResourceMisuseException e) {
diff --git a/src/main/java/uk/ac/cam/cl/dtg/segue/api/GroupsFacade.java b/src/main/java/uk/ac/cam/cl/dtg/segue/api/GroupsFacade.java
index eaddd698ad..5b9c55b52d 100644
--- a/src/main/java/uk/ac/cam/cl/dtg/segue/api/GroupsFacade.java
+++ b/src/main/java/uk/ac/cam/cl/dtg/segue/api/GroupsFacade.java
@@ -317,7 +317,7 @@ public Response getGroupsForGivenUser(@Context final HttpServletRequest request,
       }
 
       if (!isUserAnAdmin(userManager, request)) {
-        SegueErrorResponse.getIncorrectRoleResponse();
+        return SegueErrorResponse.getIncorrectRoleResponse();
       }
 
       RegisteredUserDTO userOfInterest = userManager.getUserDTOById(userId);