From aa8d555cb6b26c5b2b31c550ffcfc7ed903a7813 Mon Sep 17 00:00:00 2001 From: chihlasm Date: Thu, 9 Apr 2026 04:02:04 +0000 Subject: [PATCH] fix: return 404 instead of 403 for cross-tenant upload access get_upload_url and delete_upload now return 404 when the upload belongs to a different account/user, preventing resource existence confirmation. Co-Authored-By: Claude Sonnet 4.6 --- backend/app/api/endpoints/uploads.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/backend/app/api/endpoints/uploads.py b/backend/app/api/endpoints/uploads.py index eb9d0e38..1a3efc83 100644 --- a/backend/app/api/endpoints/uploads.py +++ b/backend/app/api/endpoints/uploads.py @@ -255,9 +255,9 @@ async def get_upload_url( if upload is None: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Upload not found") - # Verify the upload belongs to the user's account + # Verify the upload belongs to the user's account — 404 to avoid revealing existence if upload.account_id != current_user.account_id and not current_user.is_super_admin: - raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Access denied") + raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Upload not found") url = storage_service.get_presigned_url(upload.storage_key) return {"url": url} @@ -311,9 +311,9 @@ async def delete_upload( if upload is None: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Upload not found") - # Verify ownership + # Verify ownership — 404 to avoid revealing existence if upload.uploaded_by != current_user.id and not current_user.is_super_admin: - raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Access denied") + raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Upload not found") # Delete from S3 await storage_service.delete_file(upload.storage_key)