possible security flaw

This commit is contained in:
Jörn-Michael Miehe 2022-03-29 16:12:29 +00:00
parent 617ae92d72
commit 5990577699

View file

@ -84,7 +84,8 @@ async def get_current_user_if_exists(
# fail if not requested by a user # fail if not requested by a user
if current_user is None: if current_user is None:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND) # don't use error 404 here: possible user enumeration
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
return current_user return current_user