possible security flaw
This commit is contained in:
parent
617ae92d72
commit
5990577699
1 changed files with 2 additions and 1 deletions
|
@ -84,7 +84,8 @@ async def get_current_user_if_exists(
|
||||||
|
|
||||||
# fail if not requested by a user
|
# fail if not requested by a user
|
||||||
if current_user is None:
|
if current_user is None:
|
||||||
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND)
|
# don't use error 404 here: possible user enumeration
|
||||||
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
|
||||||
|
|
||||||
return current_user
|
return current_user
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue