fix: return 404 instead of 403 for cross-tenant upload access

get_upload_url and delete_upload now return 404 when the upload belongs to a different account/user, preventing resource existence confirmation. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-09 04:02:04 +00:00
parent 9150173c3d
commit aa8d555cb6
1 changed files with 4 additions and 4 deletions
--- a/backend/app/api/endpoints/uploads.py
+++ b/backend/app/api/endpoints/uploads.py
@@ -255,9 +255,9 @@ async def get_upload_url(
    if upload is None:
        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Upload not found")

-    # Verify the upload belongs to the user's account
+    # Verify the upload belongs to the user's account — 404 to avoid revealing existence
    if upload.account_id != current_user.account_id and not current_user.is_super_admin:
-        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Access denied")
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Upload not found")

    url = storage_service.get_presigned_url(upload.storage_key)
    return {"url": url}
@@ -311,9 +311,9 @@ async def delete_upload(
    if upload is None:
        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Upload not found")

-    # Verify ownership
+    # Verify ownership — 404 to avoid revealing existence
    if upload.uploaded_by != current_user.id and not current_user.is_super_admin:
-        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Access denied")
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Upload not found")

    # Delete from S3
    await storage_service.delete_file(upload.storage_key)