Non-admin user tries to delete non-existing result 401

[amrita-shrestha]

Describe the bug

Non-admin users try to delete the non-existing users. Then the API request returns a 401 HTTP status code.

curl -u user:password DELETE 'https://localhost:9200/graph/v1.0/users/random-uuid' \

Expected behavior

The HTTP status code should be 404. Forbidden rather than 401 Unauthorized

Actual behavior

Return 401 Unauthorized

[saw-jan]

CC @ScharfViktor @micbar
Do we expect non-admin user to get 404 Not Found on trying to DELETE non-existent user?

[ScharfViktor]

it is not bug IMHO or low priority

backend seems to have two checks:

• does the user with uuid exist (404)
• does user rigth to delete (401)

if a user with uuid exists -> we get a 401. In any case, a non-admin cannot remove the user

[individual-it]

I think for security reasons it would be better to return 401 if the user that tries to delete does not have enough permissions, because that would prevent people from guessing user-names.
With the current situation a non-privileged user can find out what users exist in the system, simple by sending delete requests and check for 404 vs 401

[amrita-shrestha]

butonic gave some insight in this comment #5742 (comment)

In general here is a list of error codes returned by the ms graph api: https://learn.microsoft.com/en-us/graph/errors

Now the 401 Unauthorized vs 403 Forbidden vs 404 Not Found status code may look tricky, but hara are the guidelines:

• we don't want to expose existence of resources if a user has no access to them, so we return a 404 Not Found instead of > a 403 Forbidden.
• when a user has access to a resource but tries to execute an action that he does not have enough permissions for, e.g.
  when he tries to write to a read only share, we return a 403 Forbidden