chihlasm/resolutionflow
1
0
Fork 0
Code Issues 23 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix: return 404 instead of 403 for cross-tenant share access

Browse Source 
revoke_share and create_share now return 404 when the caller is not the
owner, preventing resource existence confirmation across users.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
chihlasm
2026-04-09 04:02:04 +00:00
parent aa8d555cb6
commit 05c279a78f
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
backend/app/api/endpoints/shares.py
View File

@@ -72,8 +72,8 @@ async def create_share(
if session.user_id != current_user.id and not current_user.is_super_admin: if session.user_id != current_user.id and not current_user.is_super_admin:
raise HTTPException( raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN, status_code=status.HTTP_404_NOT_FOUND,
detail="Only the session owner can create share links" detail="Session not found"
) )
# Require account_id for account-scoped shares # Require account_id for account-scoped shares
@@ -170,8 +170,8 @@ async def revoke_share(
if share.created_by != current_user.id and not current_user.is_super_admin: if share.created_by != current_user.id and not current_user.is_super_admin:
raise HTTPException( raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN, status_code=status.HTTP_404_NOT_FOUND,
detail="Only the share creator can revoke it" detail="Share not found"
) )
share.is_active = False share.is_active = False