From 50f9894c81233c3d1947c3723871af5cd5ab8154 Mon Sep 17 00:00:00 2001
From: Étienne Loks <etienne.loks@iggdrasil.net>
Date: Wed, 4 Feb 2026 16:52:21 +0100
Subject: 🩹 GIS token creation: return 403 instead of 200 for invalid tokens
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ishtar_common/views.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ishtar_common/views.py b/ishtar_common/views.py
index e4846e824..545c4a413 100644
--- a/ishtar_common/views.py
+++ b/ishtar_common/views.py
@@ -52,6 +52,7 @@ from django.http import (
     Http404,
     HttpResponseRedirect,
     HttpResponseBadRequest,
+    HttpResponseForbidden,
     JsonResponse,
 )
 from django.shortcuts import redirect, render, get_object_or_404
@@ -1598,7 +1599,7 @@ def gis_create_token(request, request_key, app_key):
     # prevent brut force of bots?
     q = models_rest.UserRequestToken.objects.filter(key=request_key)
     if not q.count():
-        return HttpResponse(content_type="text/plain")
+        return HttpResponseForbidden()
     client_ip, __ = get_client_ip(request)
     token = q.all()[0].generate_token(app_key, from_ip=client_ip)
     return HttpResponse((token and token.key[7:]) or "", content_type="text/plain")
-- 
cgit v1.2.3