From 5f0a92734e97ca35c6c5ff316d2295c43ddcb026 Mon Sep 17 00:00:00 2001
From: chihlasm <michael@chihlas.com>
Date: Thu, 9 Apr 2026 04:01:57 +0000
Subject: [PATCH] fix: return 404 instead of 403 for cross-tenant tree access

get_tree and update_tree now return 404 when a user cannot access a tree
(private tree from another account). Prevents confirming resource existence
across tenant boundaries.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 backend/app/api/endpoints/trees.py | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/backend/app/api/endpoints/trees.py b/backend/app/api/endpoints/trees.py
index 73927cf8..2ea68c48 100644
--- a/backend/app/api/endpoints/trees.py
+++ b/backend/app/api/endpoints/trees.py
@@ -392,8 +392,8 @@ async def get_tree(
 
     if not tree.is_active or not can_access_tree(current_user, tree):
         raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail="You don't have access to this tree"
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Tree not found"
         )
 
     return build_full_tree_response(tree)
@@ -611,8 +611,8 @@ async def update_tree(
 
     if not can_edit_tree(current_user, tree):
         raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail="You can only edit your own trees"
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Tree not found"
         )
 
     # Extract tags for separate handling
@@ -1145,8 +1145,8 @@ async def update_tree_visibility(
 
     if not can_edit_tree(current_user, tree):
         raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail="You can only edit your own trees"
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Tree not found"
         )
 
     # Update visibility