From a6722cf4ecd2cce4d0953f59aa86b7777c277e7d Mon Sep 17 00:00:00 2001
From: chihlasm <michael@chihlas.com>
Date: Thu, 9 Apr 2026 04:02:06 +0000
Subject: [PATCH] fix: return 404 instead of 403 for cross-team tree access in
 maintenance schedules

_get_tree_or_403 now returns 404 when the user's team does not match,
preventing confirmation of tree existence across teams.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 backend/app/api/endpoints/maintenance_schedules.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/app/api/endpoints/maintenance_schedules.py b/backend/app/api/endpoints/maintenance_schedules.py
index b7195637..9fd979d0 100644
--- a/backend/app/api/endpoints/maintenance_schedules.py
+++ b/backend/app/api/endpoints/maintenance_schedules.py
@@ -38,7 +38,7 @@ async def _get_tree_or_403(tree_id: UUID, current_user: User, db: AsyncSession)
     # Super admins can access any tree; regular users must be on the same team
     if not getattr(current_user, 'is_super_admin', False):
         if tree.team_id != current_user.team_id:
-            raise HTTPException(status_code=403, detail="Access denied")
+            raise HTTPException(status_code=404, detail="Tree not found")
     return tree