Comment 2 for bug 1789499

Yup. I think this is a defect because there is no error returned at all. I think either a 403 forbidden or a 404 not found would be appropriate. GET requests for a single resource return 404 when the user doesn't have permission to view that resource.

I don't like that the user doesn't receive an error at all here. I think that's confusing, but you're right that it might be for security purposes.