Skip to content

Space disable/delete operation returns 404 instead of 403/401 in case of no permissions #11781

New issue
New issue
Open
Open
Space disable/delete operation returns 404 instead of 403/401 in case of no permissions#11781
Labels
Type:Bug
@jesmrec

Description

@jesmrec
jesmrec
opened on Nov 3, 2025

Describe the bug

If any user with no permissions disables a space, a 404 is returned. 404 means Not Found but the space is there, in front of his/here eyes.

403 Forbidden or 401 Unauthorized fits better to such situation and helps clients to show a proper error message.

Steps to reproduce

  1. A user in Android client with manager permission over the space lists the available operations for his/her role over the space
  2. Before submitting any operation, that user is downgraded to viewer in the space
  3. User clicks on Disable space

Expected behavior

403 Forbidden or 401 Unauthorized returned by the DELETE request

Actual behavior

404 Not Found returned. Following the steps above, the space is not disabled because lack of permissions and is still visible and displayed, so that, Not Found is not correct.

Setup

Perform the following curl

curl -H 'Original-Request-ID: 033BCBF5-9812-46C0-81F3-722998AD7FB9' -H 'Connection: keep-alive' -H 'Accept: */*' -H 'Accept-Language: en' -H 'Authorization: Bearer xxx' -H 'X-Request-ID: 033BCBF5-9812-46C0-81F3-722998AD7FB9' -X DELETE 'https://xx.xx.xx.xx:9200/graph/v1.0/drives/<drive-id>'

oCIS setup:

ownCloud Infinite Scale
Edition Community
Version 7.3.0
Web client version 12.1.1

Additional context

Add any other context about the problem here.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type:Bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions