Comment 3 for bug 1840288

I agree with Morgan, Class C1 sound appropriate. I think we should be able to craft a policy that authorize on trustee and trustor only. Merely changing the return code to 403 may not be the right fix. That's like security by obscurity.