Comment 2 for bug 1789499

Revision history for this message
jessegler (je808k) wrote :

Yup. I think this is a defect because there is no error returned at all. I think either a 403 forbidden or a 404 not found would be appropriate. GET requests for a single resource return 404 when the user doesn't have permission to view that resource.

I don't like that the user doesn't receive an error at all here. I think that's confusing, but you're right that it might be for security purposes.