From f5c9095222d7f44250c1c7a30a118b655f8b7e83 Mon Sep 17 00:00:00 2001 From: Ernest Hysa <59969602+ErnestHysa@users.noreply.github.com> Date: Fri, 5 Jun 2026 14:12:40 +0100 Subject: [PATCH] fix(document): add 404 guard to version list/get endpoints (#2762) list_versions and get_version used a soft 'if doc:' guard that skipped ownership verification when the Document row was missing (e.g. after hard delete). Orphaned DocumentVersion rows would be returned to any caller without auth. Now raises 404 when the parent document is gone, matching the pattern already used in restore_version. --- routes/document_routes.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/routes/document_routes.py b/routes/document_routes.py index 03661b26b..aef2a5f68 100644 --- a/routes/document_routes.py +++ b/routes/document_routes.py @@ -663,8 +663,9 @@ def setup_document_routes(session_manager, upload_handler=None) -> APIRouter: try: # Verify ownership before listing versions doc = db.query(Document).filter(Document.id == doc_id).first() - if doc: - _verify_doc_owner(db, doc, user) + if not doc: + raise HTTPException(404, "Document not found") + _verify_doc_owner(db, doc, user) versions = db.query(DocumentVersion).filter( DocumentVersion.document_id == doc_id ).order_by(DocumentVersion.version_number.desc()).all() @@ -687,8 +688,9 @@ def setup_document_routes(session_manager, upload_handler=None) -> APIRouter: try: # Verify ownership doc = db.query(Document).filter(Document.id == doc_id).first() - if doc: - _verify_doc_owner(db, doc, user) + if not doc: + raise HTTPException(404, "Document not found") + _verify_doc_owner(db, doc, user) ver = db.query(DocumentVersion).filter( DocumentVersion.document_id == doc_id, DocumentVersion.version_number == num,