From 0e0fccbbfaeab7cce5d2b554c91f6a74c1c7d2d4 Mon Sep 17 00:00:00 2001
From: chihlasm <michael@chihlas.com>
Date: Thu, 9 Apr 2026 04:02:09 +0000
Subject: [PATCH] fix: return 404 instead of 403 for cross-account step
 category access

get_step_category now returns 404 for account-specific categories that
belong to another account, preventing resource existence confirmation.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 backend/app/api/endpoints/step_categories.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/app/api/endpoints/step_categories.py b/backend/app/api/endpoints/step_categories.py
index 5d890225..53770bee 100644
--- a/backend/app/api/endpoints/step_categories.py
+++ b/backend/app/api/endpoints/step_categories.py
@@ -94,8 +94,8 @@ async def get_step_category(
     # Check access: global categories visible to all, account categories only to account members
     if category.account_id and category.account_id != current_user.account_id and not current_user.is_super_admin:
         raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail="You don't have access to this step category"
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Step category not found"
         )
 
     return StepCategoryResponse(