I sort of agree that you can detect whether a resource exists or not just because the API responds with a 403 in this case.
403 is still a valid response imo if, the share belongs to the project that the user belongs to as well; but the user has no access to this action - "share:get"
In your specific case, the correct response should be 404, since the user requesting "share:get" isn't from the same project that owns the share b0758fbd-bb1c-47e7-875e-b72336111709.
Arjen:
The code that's sending the 403 response is here: https:/ /opendev. org/openstack/ manila/ src/commit/ 346cebcbbb519d0 7d98ce60cd2d388 ff00a0ce25/ manila/ share/api. py#L1757- L1758
I sort of agree that you can detect whether a resource exists or not just because the API responds with a 403 in this case.
403 is still a valid response imo if, the share belongs to the project that the user belongs to as well; but the user has no access to this action - "share:get"
In your specific case, the correct response should be 404, since the user requesting "share:get" isn't from the same project that owns the share b0758fbd- bb1c-47e7- 875e-b723361117 09.
Do we agree with this assessment?