GET project never exposes

harminius · harminius · commit e8451429b41e · 2025-12-02T13:08:33.000+01:00
diff --git a/server/mergin/sync/permissions.py b/server/mergin/sync/permissions.py
@@ -223,7 +223,7 @@ def require_project_by_uuid(
         expose (bool, optional): Controls security disclosure behavior on permission failure.
             - If `True`: Returns 403 Forbidden (reveals project exists but access is denied).
             - If `False`: Returns 404 Not Found (hides project existence for security).
-            Defaults to `True` for v1 endpoints compatibility.
+            Standard is that reading results in 404, while writing results in 403
     """
     if not is_valid_uuid(uuid):
         abort(404)
diff --git a/server/mergin/tests/test_public_api_v2.py b/server/mergin/tests/test_public_api_v2.py
@@ -180,11 +180,11 @@ def test_get_project(client):
     # anonymous user cannot access the private resource
     response = client.get(f"v2/projects/{project.id}")
     assert response.status_code == 404
-    # lack of permissions
+    # lack of permissions also results in 404 for GET project
     user = add_user("tests", "tests")
     login(client, user.username, "tests")
     response = client.get(f"v2/projects/{project.id}")
-    assert response.status_code == 403
+    assert response.status_code == 404
     # access public project
     project.public = True
     db.session.commit()
