Comment 6 for bug 1789499

IMO this is valid bug. If some call is in general forbidden for user, it should returns 403 instead of empty list with 200.

There are other cases when user wants e.g. get resource which don't belong to him. Then we should IMO return 404 instead of 403 to not show that such resource really exists even. And AFAIK it is like that now.
Also in case when e.g. user tries to do neutron net-list and there are only networks which don't belong to him, he should get 200 and empty list.