Be verbose about fields a client might try to set

Author: travispaul

lib/endpoints/accesskeys.js

@@ -93,7 +93,13 @@ function create(req, res, next) {
     // create a non-permanent key, make it obvious that it isn't supported.
     if (req.params.credentialtype &&
         req.params.credentialtype !== 'permanent') {
-        next(new InternalError('credentialtype cannot be set via CloudAPI'));
+        next(new ForbiddenError('credentialtype cannot be set via CloudAPI'));
+        return;
+    }
+
+    // Make it clear that expiration cannot be set.
+    if (req.params.expiration) {
+        next(new ForbiddenError('expiration cannot be set via CloudAPI'));
         return;
     }
 
@@ -344,6 +350,17 @@ function update(req, res, next) {
         params.description = req.params.description;
     }
 
+    // Make it clear that credential type and expiration cannot be changed.
+    if (req.params.credentialtype) {
+        next(new ForbiddenError('credentialtype cannot be set via CloudAPI'));
+        return;
+    }
+
+    if (req.params.expiration) {
+        next(new ForbiddenError('expiration cannot be set via CloudAPI'));
+        return;
+    }
+
     try {
         ufds.updateAccessKey(user, account, params,
             function _updateAccessKeyCb(err, accesskey) {