From 9150173c3d8d26f13a23727431490addb5445726 Mon Sep 17 00:00:00 2001
From: chihlasm <michael@chihlas.com>
Date: Thu, 9 Apr 2026 04:02:02 +0000
Subject: [PATCH] fix: return 404 instead of 403 for cross-tenant step access

get_step_or_404 now returns 404 when can_view_step or can_edit_step fails,
preventing confirmation of step existence across tenant boundaries.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 backend/app/api/endpoints/steps.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/app/api/endpoints/steps.py b/backend/app/api/endpoints/steps.py
index 14bc5a7c..992c1725 100644
--- a/backend/app/api/endpoints/steps.py
+++ b/backend/app/api/endpoints/steps.py
@@ -47,10 +47,10 @@ async def get_step_or_404(
         raise HTTPException(status_code=404, detail="Step not found")
 
     if check_view and not can_view_step(current_user, step):
-        raise HTTPException(status_code=403, detail="Not authorized to view this step")
+        raise HTTPException(status_code=404, detail="Step not found")
 
     if check_edit and not can_edit_step(current_user, step):
-        raise HTTPException(status_code=403, detail="Not authorized to modify this step")
+        raise HTTPException(status_code=404, detail="Step not found")
 
     return step