Return 404 instead of 403 when the Org API is used to query or edit a…

… CO that does not exist in the Org (fixes #1073)
SURFscz · Nov 16, 2023 · 0bb2572 · 0bb2572
1 parent bc89f99
commit 0bb2572
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 6 deletions.
diff --git a/server/auth/security.py b/server/auth/security.py
@@ -1,6 +1,6 @@
 from flask import session, g as request_context, request as current_request, current_app
 from sqlalchemy.orm import load_only
-from werkzeug.exceptions import Forbidden
+from werkzeug.exceptions import Forbidden, NotFound
 
 from server.db.db import db
 from server.db.domain import (CollaborationMembership, OrganisationMembership, Collaboration, User,
@@ -96,10 +96,12 @@ def confirm_external_api_call():
 def confirm_organisation_api_collaboration(collaboration_identifier, collaboration=None):
     confirm_external_api_call()
     organisation = request_context.external_api_organisation
+    if not organisation:  # i.e., not a valid Org key used for call
+        raise Forbidden()
     if collaboration is None:
         collaboration = Collaboration.query.filter(Collaboration.identifier == collaboration_identifier).one()
-    if not organisation or organisation.id != collaboration.organisation_id:
-        raise Forbidden()
+    if not collaboration or organisation.id != collaboration.organisation_id:  # i.e., CO not found (or not in this Org)
+        raise NotFound()
     return collaboration
 
 

diff --git a/server/test/api/test_collaboration.py b/server/test/api/test_collaboration.py
@@ -887,7 +887,7 @@ def test_find_by_identifier_api(self):
     def test_find_by_identifier_api_not_allowed(self):
         self.get(f"/api/collaborations/v1/{collaboration_uva_researcher_uuid}",
                  headers={"Authorization": f"Bearer {uuc_secret}"},
-                 with_basic_auth=False, response_status_code=403)
+                 with_basic_auth=False, response_status_code=404)
 
     def test_collaboration_new_with_expiry_date_past(self):
         try:
@@ -963,7 +963,7 @@ def test_delete_collaboration_api_forbidden(self):
         self.delete(f"/api/collaborations/v1/{collaboration_ai_computing_uuid}",
                     headers={"Authorization": f"Bearer {uva_secret}"},
                     with_basic_auth=False,
-                    response_status_code=403)
+                    response_status_code=404)
 
     def test_collaboration_with_units(self):
         organisation = Organisation.query.filter(Organisation.name == uuc_name).one()

diff --git a/server/test/api/test_group.py b/server/test/api/test_group.py
@@ -221,7 +221,7 @@ def test_create_group_not_allowed_api(self):
                   },
                   headers={"Authorization": f"Bearer {uuc_secret}"},
                   with_basic_auth=False,
-                  response_status_code=403)
+                  response_status_code=404)
 
     def test_delete_group_api(self):
         group = self.find_entity_by_name(Group, ai_researchers_group)