Summary
When a user without create_child permission on a parent workspace attempts to create a child workspace, the API returns 403 Forbidden. Per the authorization masking pattern used consistently elsewhere in the codebase (tenants, workspaces retrieval, groups, knowledge graphs, data sources), unauthorized access should be indistinguishable from a missing resource — returning 404 Not Found.
Expected Behavior
Per specs/iam/workspaces.spec.md and specs/iam/authorization.spec.md:
- Unauthorized access returns a not-found response
- No distinction is made between "unauthorized" and "missing parent"
Actual Behavior
iam/presentation/workspaces/routes.py:82-86 catches UnauthorizedError and returns 403 Forbidden:
except UnauthorizedError:
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="You do not have permission to perform this action",
)Impact
Leaks the existence of workspaces the user doesn't have access to. An attacker can enumerate workspace IDs by distinguishing 403 (exists but unauthorized) from 404 (doesn't exist).
Fix
Change the workspace creation error handler to return 404 when create_child permission check fails, consistent with the information-hiding pattern used for workspace retrieval, tenant retrieval, group retrieval, etc.
References
specs/iam/authorization.spec.md — "Information Hiding on Authorization Failure"specs/iam/workspaces.spec.md — "Unauthorized creation" scenario
Summary
When a user without
create_childpermission on a parent workspace attempts to create a child workspace, the API returns403 Forbidden. Per the authorization masking pattern used consistently elsewhere in the codebase (tenants, workspaces retrieval, groups, knowledge graphs, data sources), unauthorized access should be indistinguishable from a missing resource — returning404 Not Found.Expected Behavior
Per
specs/iam/workspaces.spec.mdandspecs/iam/authorization.spec.md:Actual Behavior
iam/presentation/workspaces/routes.py:82-86catchesUnauthorizedErrorand returns403 Forbidden:Impact
Leaks the existence of workspaces the user doesn't have access to. An attacker can enumerate workspace IDs by distinguishing 403 (exists but unauthorized) from 404 (doesn't exist).
Fix
Change the workspace creation error handler to return 404 when
create_childpermission check fails, consistent with the information-hiding pattern used for workspace retrieval, tenant retrieval, group retrieval, etc.References
specs/iam/authorization.spec.md— "Information Hiding on Authorization Failure"specs/iam/workspaces.spec.md— "Unauthorized creation" scenario