fastapi · jpizquierdo · Apr 14, 2025 · Apr 14, 2025
diff --git a/backend/app/api/routes/items.py b/backend/app/api/routes/items.py
@@ -50,7 +50,7 @@ def read_item(session: SessionDep, current_user: CurrentUser, id: uuid.UUID) ->
     if not item:
         raise HTTPException(status_code=404, detail="Item not found")
     if not current_user.is_superuser and (item.owner_id != current_user.id):
-        raise HTTPException(status_code=400, detail="Not enough permissions")
+        raise HTTPException(status_code=403, detail="Not enough permissions")
     return item
 
 
@@ -83,7 +83,7 @@ def update_item(
     if not item:
         raise HTTPException(status_code=404, detail="Item not found")
     if not current_user.is_superuser and (item.owner_id != current_user.id):
-        raise HTTPException(status_code=400, detail="Not enough permissions")
+        raise HTTPException(status_code=403, detail="Not enough permissions")
     update_dict = item_in.model_dump(exclude_unset=True)
     item.sqlmodel_update(update_dict)
     session.add(item)
@@ -103,7 +103,7 @@ def delete_item(
     if not item:
         raise HTTPException(status_code=404, detail="Item not found")
     if not current_user.is_superuser and (item.owner_id != current_user.id):
-        raise HTTPException(status_code=400, detail="Not enough permissions")
+        raise HTTPException(status_code=403, detail="Not enough permissions")
     session.delete(item)
     session.commit()
     return Message(message="Item deleted successfully")
diff --git a/backend/app/tests/api/routes/test_items.py b/backend/app/tests/api/routes/test_items.py
@@ -60,7 +60,7 @@ def test_read_item_not_enough_permissions(
         f"{settings.API_V1_STR}/items/{item.id}",
         headers=normal_user_token_headers,
     )
-    assert response.status_code == 400
+    assert response.status_code == 403
     content = response.json()
     assert content["detail"] == "Not enough permissions"
 
@@ -121,7 +121,7 @@ def test_update_item_not_enough_permissions(
         headers=normal_user_token_headers,
         json=data,
     )
-    assert response.status_code == 400
+    assert response.status_code == 403
     content = response.json()
     assert content["detail"] == "Not enough permissions"
 
@@ -159,6 +159,6 @@ def test_delete_item_not_enough_permissions(
         f"{settings.API_V1_STR}/items/{item.id}",
         headers=normal_user_token_headers,
     )
-    assert response.status_code == 400
+    assert response.status_code == 403
     content = response.json()
     assert content["detail"] == "Not enough permissions"