fix: return 404 instead of 403 for cross-tenant tree access

get_tree and update_tree now return 404 when a user cannot access a tree (private tree from another account). Prevents confirming resource existence across tenant boundaries. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-09 04:01:57 +00:00
parent 7d262c5b0c
commit 5f0a92734e
1 changed files with 6 additions and 6 deletions
--- a/backend/app/api/endpoints/trees.py
+++ b/backend/app/api/endpoints/trees.py
@@ -392,8 +392,8 @@ async def get_tree(

    if not tree.is_active or not can_access_tree(current_user, tree):
        raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail="You don't have access to this tree"
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Tree not found"
        )

    return build_full_tree_response(tree)
@@ -611,8 +611,8 @@ async def update_tree(

    if not can_edit_tree(current_user, tree):
        raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail="You can only edit your own trees"
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Tree not found"
        )

    # Extract tags for separate handling
@@ -1145,8 +1145,8 @@ async def update_tree_visibility(

    if not can_edit_tree(current_user, tree):
        raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail="You can only edit your own trees"
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Tree not found"
        )

    # Update visibility