🐛Update items.py to return status code 403 in case of insufficient permissions (#1543)

2026-01-22 13:46:35 +01:00
parent a45258f520
commit 9fe3a4d221
2 changed files with 6 additions and 6 deletions
--- a/backend/app/api/routes/items.py
+++ b/backend/app/api/routes/items.py
@@ -50,7 +50,7 @@ def read_item(session: SessionDep, current_user: CurrentUser, id: uuid.UUID) ->
    if not item:
        raise HTTPException(status_code=404, detail="Item not found")
    if not current_user.is_superuser and (item.owner_id != current_user.id):
-        raise HTTPException(status_code=400, detail="Not enough permissions")
+        raise HTTPException(status_code=403, detail="Not enough permissions")
    return item


@@ -83,7 +83,7 @@ def update_item(
    if not item:
        raise HTTPException(status_code=404, detail="Item not found")
    if not current_user.is_superuser and (item.owner_id != current_user.id):
-        raise HTTPException(status_code=400, detail="Not enough permissions")
+        raise HTTPException(status_code=403, detail="Not enough permissions")
    update_dict = item_in.model_dump(exclude_unset=True)
    item.sqlmodel_update(update_dict)
    session.add(item)
@@ -103,7 +103,7 @@ def delete_item(
    if not item:
        raise HTTPException(status_code=404, detail="Item not found")
    if not current_user.is_superuser and (item.owner_id != current_user.id):
-        raise HTTPException(status_code=400, detail="Not enough permissions")
+        raise HTTPException(status_code=403, detail="Not enough permissions")
    session.delete(item)
    session.commit()
    return Message(message="Item deleted successfully")
--- a/backend/tests/api/routes/test_items.py
+++ b/backend/tests/api/routes/test_items.py
@@ -60,7 +60,7 @@ def test_read_item_not_enough_permissions(
        f"{settings.API_V1_STR}/items/{item.id}",
        headers=normal_user_token_headers,
    )
-    assert response.status_code == 400
+    assert response.status_code == 403
    content = response.json()
    assert content["detail"] == "Not enough permissions"

@@ -121,7 +121,7 @@ def test_update_item_not_enough_permissions(
        headers=normal_user_token_headers,
        json=data,
    )
-    assert response.status_code == 400
+    assert response.status_code == 403
    content = response.json()
    assert content["detail"] == "Not enough permissions"

@@ -159,6 +159,6 @@ def test_delete_item_not_enough_permissions(
        f"{settings.API_V1_STR}/items/{item.id}",
        headers=normal_user_token_headers,
    )
-    assert response.status_code == 400
+    assert response.status_code == 403
    content = response.json()
    assert content["detail"] == "Not enough permissions"