fix: return 404 (not 403) for get_documentation cross-user access; add missing Task 6 tests

get_documentation was revealing session existence via 403. Added pre-check query filtering by session_id AND user_id before calling the engine. Also add cross-tenant isolation tests for steps, tags, step_categories, and maintenance_schedules endpoints fixed in Task 6 (TDD was skipped). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-09 04:12:59 +00:00
parent 8a4c870cd9
commit ff53ea7da9
2 changed files with 152 additions and 0 deletions
--- a/backend/app/api/endpoints/ai_sessions.py
+++ b/backend/app/api/endpoints/ai_sessions.py
@@ -921,6 +921,16 @@ async def get_documentation(
    db: Annotated[AsyncSession, Depends(get_db)],
 ):
    """Get auto-generated documentation for a session."""
+    # Verify session ownership — return 404 (not 403) to avoid confirming existence.
+    result = await db.execute(
+        select(AISession).where(
+            AISession.id == session_id,
+            AISession.user_id == current_user.id,
+        )
+    )
+    if not result.scalar_one_or_none():
+        raise HTTPException(status_code=404, detail="Session not found")
+
    try:
        return await flowpilot_engine.get_session_documentation(
            session_id=session_id,