From 3e59a8b4624b9206143edbb540d7d13d5dfb608a Mon Sep 17 00:00:00 2001
From: Jan Max Meyer <jmm@phorward.de>
Date: Thu, 6 Nov 2025 23:29:01 +0100
Subject: [PATCH] fix: list: Distinguish between 401 and 403

Currently, any listFilter that returns None raises error 401, althought a user is authorized.
This fix raises error 403 forbidden when an authenticated user is not allowed to proceed.
---
 src/viur/core/prototypes/list.py | 5 ++++-
 src/viur/core/prototypes/tree.py | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/viur/core/prototypes/list.py b/src/viur/core/prototypes/list.py
index 76fc0d58d..a1274c0c5 100644
--- a/src/viur/core/prototypes/list.py
+++ b/src/viur/core/prototypes/list.py
@@ -200,7 +200,10 @@ def list(self, *args, **kwargs) -> t.Any:
 
         # The general access control is made via self.listFilter()
         if not (query := self.listFilter(skel.all().mergeExternalFilter(kwargs))):
-            raise errors.Unauthorized()
+            if current.user.get():
+                raise errors.Forbidden()
+            else:
+                raise errors.Unauthorized()
 
         self._apply_default_order(query)
         return self.render.list(query.fetch())
diff --git a/src/viur/core/prototypes/tree.py b/src/viur/core/prototypes/tree.py
index e61cbced8..b89c1a36b 100644
--- a/src/viur/core/prototypes/tree.py
+++ b/src/viur/core/prototypes/tree.py
@@ -340,7 +340,10 @@ def list(self, skelType: SkelType, *args, **kwargs) -> t.Any:
 
         # The general access control is made via self.listFilter()
         if not (query := self.listFilter(self.viewSkel(skelType).all().mergeExternalFilter(kwargs))):
-            raise errors.Unauthorized()
+            if current.user.get():
+                raise errors.Forbidden()
+            else:
+                raise errors.Unauthorized()
 
         self._apply_default_order(query)
         return self.render.list(query.fetch())