From 7fdc4a9f73bc7580ce48b1bbb5652652e9272bed Mon Sep 17 00:00:00 2001
From: Douglas Hall <douglas_hall@icloud.com>
Date: Wed, 27 Mar 2019 11:16:20 -0400
Subject: [PATCH] Always send 404 response on requests for non-existent user
 accounts.

---
 openedx/core/djangoapps/user_api/accounts/tests/test_views.py | 2 +-
 openedx/core/djangoapps/user_api/accounts/views.py            | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/openedx/core/djangoapps/user_api/accounts/tests/test_views.py b/openedx/core/djangoapps/user_api/accounts/tests/test_views.py
index 59b534e172..538db99c28 100644
--- a/openedx/core/djangoapps/user_api/accounts/tests/test_views.py
+++ b/openedx/core/djangoapps/user_api/accounts/tests/test_views.py
@@ -323,7 +323,7 @@ class TestAccountsAPI(CacheIsolationTestCase, UserAPITestCase):
         """
         client = self.login_client(api_client, user)
         response = client.get(reverse("accounts_api", kwargs={'username': "does_not_exist"}))
-        self.assertEqual(403 if user == "staff_user" else 404, response.status_code)
+        self.assertEqual(404, response.status_code)
 
     # Note: using getattr so that the patching works even if there is no configuration.
     # This is needed when testing CMS as the patching is still executed even though the
diff --git a/openedx/core/djangoapps/user_api/accounts/views.py b/openedx/core/djangoapps/user_api/accounts/views.py
index 4ee7fbaa2e..55ea0692ec 100644
--- a/openedx/core/djangoapps/user_api/accounts/views.py
+++ b/openedx/core/djangoapps/user_api/accounts/views.py
@@ -287,7 +287,7 @@ class AccountViewSet(ViewSet):
             account_settings = get_account_settings(
                 request, usernames, view=request.query_params.get('view'))
         except UserNotFound:
-            return Response(status=status.HTTP_403_FORBIDDEN if request.user.is_staff else status.HTTP_404_NOT_FOUND)
+            return Response(status=status.HTTP_404_NOT_FOUND)
 
         return Response(account_settings)
 
@@ -299,7 +299,7 @@ class AccountViewSet(ViewSet):
             account_settings = get_account_settings(
                 request, [username], view=request.query_params.get('view'))
         except UserNotFound:
-            return Response(status=status.HTTP_403_FORBIDDEN if request.user.is_staff else status.HTTP_404_NOT_FOUND)
+            return Response(status=status.HTTP_404_NOT_FOUND)
 
         return Response(account_settings[0])