From 33a4710d539cdb9f9678eb8232783531e2a47ff1 Mon Sep 17 00:00:00 2001 From: chihlasm Date: Thu, 9 Apr 2026 04:02:08 +0000 Subject: [PATCH] fix: return 404 instead of 403 for cross-account tag access get_tag now returns 404 for account-specific tags that belong to another account, preventing resource existence confirmation. Co-Authored-By: Claude Sonnet 4.6 --- backend/app/api/endpoints/tags.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/backend/app/api/endpoints/tags.py b/backend/app/api/endpoints/tags.py index 334e33f8..b8438e8b 100644 --- a/backend/app/api/endpoints/tags.py +++ b/backend/app/api/endpoints/tags.py @@ -105,8 +105,8 @@ async def get_tag( # Check access: global tags visible to all, account tags only to account members if tag.account_id and tag.account_id != current_user.account_id and not current_user.is_super_admin: raise HTTPException( - status_code=status.HTTP_403_FORBIDDEN, - detail="You don't have access to this tag" + status_code=status.HTTP_404_NOT_FOUND, + detail="Tag not found" ) return TagResponse.model_validate(tag)