add flag for v1 compatibility

Author: harminius

server/mergin/sync/permissions.py

@@ -210,7 +210,21 @@ def require_project(ws, project_name, permission) -> Project:
     return project
 
 
-def require_project_by_uuid(uuid: str, permission: ProjectPermissions, scheduled=False):
+def require_project_by_uuid(
+    uuid: str, permission: ProjectPermissions, scheduled=False, expose=True
+) -> Project:
+    """
+    Retrieves a project by UUID after validating existence, workspace status, and permissions.
+
+    Args:
+        uuid (str): The unique identifier of the project.
+        permission (ProjectPermissions): The permission level required to access the project.
+        scheduled (bool, optional): If ``True``, bypasses the check for projects marked for deletion.
+        expose (bool, optional): Controls security disclosure behavior on permission failure.
+            - If `True`: Returns 403 Forbidden (reveals project exists but access is denied).
+            - If `False`: Returns 404 Not Found (hides project existence for security).
+            Defaults to `True` for v1 endpoints compatibility.
+    """
     if not is_valid_uuid(uuid):
         abort(404)
 
@@ -220,16 +234,18 @@ def require_project_by_uuid(uuid: str, permission: ProjectPermissions, scheduled
     if not scheduled:
         project = project.filter(Project.removed_at.is_(None))
     project = project.first_or_404()
-    # we don't want to tell anonymous user if a private project exists
-    if current_user.is_anonymous and not project.public:
-        abort(404)
+
     workspace = project.workspace
     if not workspace:
         abort(404)
     if not is_active_workspace(workspace):
         abort(404, "Workspace doesn't exist")
     if not permission.check(project, current_user):
-        abort(403, "You do not have permissions for this project")
+        # we don't want to tell anonymous user if a private project exists
+        if expose:
+            abort(403, "You do not have permissions for this project")
+        else:
+            abort(404)
     return project
 
 

server/mergin/sync/public_api_v2_controller.py

@@ -57,7 +57,7 @@ def schedule_delete_project(id):
     Celery job `mergin.sync.tasks.remove_projects_backups` does the
     rest.
     """
-    project = require_project_by_uuid(id, ProjectPermissions.Delete)
+    project = require_project_by_uuid(id, ProjectPermissions.Delete, expose=False)
     project.removed_at = datetime.utcnow()
     project.removed_by = current_user.id
     db.session.commit()
@@ -68,7 +68,9 @@ def schedule_delete_project(id):
 @auth_required
 def delete_project_now(id):
     """Delete the project immediately"""
-    project = require_project_by_uuid(id, ProjectPermissions.Delete, scheduled=True)
+    project = require_project_by_uuid(
+        id, ProjectPermissions.Delete, scheduled=True, expose=False
+    )
     project.delete()
 
     return NoContent, 204
@@ -77,7 +79,7 @@ def delete_project_now(id):
 @auth_required
 def update_project(id):
     """Rename project"""
-    project = require_project_by_uuid(id, ProjectPermissions.Update)
+    project = require_project_by_uuid(id, ProjectPermissions.Update, expose=False)
     new_name = request.json["name"].strip()
     validation_error = project_name_validation(new_name)
     if validation_error:
@@ -100,7 +102,7 @@ def update_project(id):
 @auth_required
 def get_project_collaborators(id):
     """Get project collaborators, with both direct role and inherited role from workspace"""
-    project = require_project_by_uuid(id, ProjectPermissions.Update)
+    project = require_project_by_uuid(id, ProjectPermissions.Update, expose=False)
     project_members = []
     for user, workspace_role in project.workspace.members():
         project_role = project.get_role(user.id)
@@ -123,7 +125,7 @@ def get_project_collaborators(id):
 @auth_required
 def add_project_collaborator(id):
     """Add project collaborator"""
-    project = require_project_by_uuid(id, ProjectPermissions.Update)
+    project = require_project_by_uuid(id, ProjectPermissions.Update, expose=False)
     user = User.get_by_login(request.json["user"])
     if not user:
         abort(404)
@@ -140,7 +142,7 @@ def add_project_collaborator(id):
 @auth_required
 def update_project_collaborator(id, user_id):
     """Update project collaborator"""
-    project = require_project_by_uuid(id, ProjectPermissions.Update)
+    project = require_project_by_uuid(id, ProjectPermissions.Update, expose=False)
     user = User.query.filter_by(id=user_id, active=True).first_or_404()
     if not project.get_role(user_id):
         abort(404)
@@ -154,7 +156,7 @@ def update_project_collaborator(id, user_id):
 @auth_required
 def remove_project_collaborator(id, user_id):
     """Remove project collaborator"""
-    project = require_project_by_uuid(id, ProjectPermissions.Update)
+    project = require_project_by_uuid(id, ProjectPermissions.Update, expose=False)
     if not project.get_role(user_id):
         abort(404)
 
@@ -165,7 +167,7 @@ def remove_project_collaborator(id, user_id):
 
 def get_project(id, files_at_version=None):
     """Get project info. Include list of files at specific version if requested."""
-    project = require_project_by_uuid(id, ProjectPermissions.Read)
+    project = require_project_by_uuid(id, ProjectPermissions.Read, expose=False)
     data = ProjectSchemaV2().dump(project)
     if files_at_version:
         pv = ProjectVersion.query.filter_by(