From 05c279a78f910d64369f0f0ba3a5a49699a6cd58 Mon Sep 17 00:00:00 2001
From: chihlasm <michael@chihlas.com>
Date: Thu, 9 Apr 2026 04:02:04 +0000
Subject: [PATCH] fix: return 404 instead of 403 for cross-tenant share access

revoke_share and create_share now return 404 when the caller is not the
owner, preventing resource existence confirmation across users.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 backend/app/api/endpoints/shares.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/backend/app/api/endpoints/shares.py b/backend/app/api/endpoints/shares.py
index ee81e903..3d67207d 100644
--- a/backend/app/api/endpoints/shares.py
+++ b/backend/app/api/endpoints/shares.py
@@ -72,8 +72,8 @@ async def create_share(
 
     if session.user_id != current_user.id and not current_user.is_super_admin:
         raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail="Only the session owner can create share links"
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Session not found"
         )
 
     # Require account_id for account-scoped shares
@@ -170,8 +170,8 @@ async def revoke_share(
 
     if share.created_by != current_user.id and not current_user.is_super_admin:
         raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail="Only the share creator can revoke it"
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Share not found"
         )
 
     share.is_active = False