Return 401 for internal auth if lecture is not found

api/src/api/routes/resources.py

@@ -21,7 +21,7 @@ if _FILE_URI_PREFIX_PATH is None:
 _API_RESOURCE_RATE_LIMITERS = create_configured_host_rate_limiters("resources", api.config["API_RESOURCES_RATE_LIMIT"])
 
 
-def _check_access_medium_file(course_handle: str, medium_file_id: int) -> MediumFile:
+def _check_access_medium_file(course_handle: str, medium_file_id: int, not_found_as_unauthorized: bool = False) -> MediumFile:
     is_mod = is_moderator()
     medium_file = database.query_one_or_none_and_expunge(
         MediumFile.select(
@@ -40,6 +40,9 @@ def _check_access_medium_file(course_handle: str, medium_file_id: int) -> Medium
         medium_file = None
     
     if medium_file is None:
+        if not_found_as_unauthorized:
+            raise ApiClientException(ERROR_UNAUTHORIZED)
+        else:
             raise ApiClientException(ERROR_UNKNOWN_OBJECT_OR_NO_ACCESS)
     
     if not are_view_permissions_fulfilled(medium_file.lecture.effective_view_permissions):
@@ -99,7 +102,7 @@ def api_route_resource_internal_auth_check():
     except ValueError:
         raise ApiClientException(ERROR_REQUEST_INVALID_PARAMETER("URL.co_ha", "Unable to parse handle"))
 
-    medium_file = _check_access_medium_file(course_handle, medium_file_id)
+    medium_file = _check_access_medium_file(course_handle, medium_file_id, not_found_as_unauthorized=True)
     
     if url_result.path != f"{_FILE_URI_PREFIX_PATH}/{medium_file.file_path}":
         raise ApiClientException(ERROR_BAD_REQUEST("Url does not match medium location"))