fix(document): add 404 guard to version list/get endpoints (#2762)

list_versions and get_version used a soft 'if doc:' guard that skipped ownership verification when the Document row was missing (e.g. after hard delete). Orphaned DocumentVersion rows would be returned to any caller without auth. Now raises 404 when the parent document is gone, matching the pattern already used in restore_version.
2026-06-16 09:45:24 -04:00 · 2026-06-05 14:12:40 +01:00
parent d4ff7fce81
commit f5c9095222
1 changed files with 6 additions and 4 deletions
@@ -663,8 +663,9 @@ def setup_document_routes(session_manager, upload_handler=None) -> APIRouter:
        try:
            # Verify ownership before listing versions
            doc = db.query(Document).filter(Document.id == doc_id).first()
-            if doc:
-                _verify_doc_owner(db, doc, user)
+            if not doc:
+                raise HTTPException(404, "Document not found")
+            _verify_doc_owner(db, doc, user)
            versions = db.query(DocumentVersion).filter(
                DocumentVersion.document_id == doc_id
            ).order_by(DocumentVersion.version_number.desc()).all()
@@ -687,8 +688,9 @@ def setup_document_routes(session_manager, upload_handler=None) -> APIRouter:
        try:
            # Verify ownership
            doc = db.query(Document).filter(Document.id == doc_id).first()
-            if doc:
-                _verify_doc_owner(db, doc, user)
+            if not doc:
+                raise HTTPException(404, "Document not found")
+            _verify_doc_owner(db, doc, user)
            ver = db.query(DocumentVersion).filter(
                DocumentVersion.document_id == doc_id,
                DocumentVersion.version_number == num,