Consider returning 404 Not Found for forbidden resources

[jacobtylerwalls]

The resources API returns 403 Forbidden if you lack a read permission on a resource, but this discloses the existence of the resource's primary key.

Suggest returning 404 Not Found instead (like GitHub does for private repos), see discussion at MDN:

Server owners may decide to send a 404 response instead of a 403 if acknowledging the existence of a resource to clients with insufficient privileges is not desired.

[JP-sDEV]

Hi can I be assigned this issue?

[jacobtylerwalls]

Thanks for the offer @JP-sDEV. After talking briefly with @ekansa, I think we'll want to promote a little more discussion before implementing this. I'll move this to Needs Discussion in the tracker.

[JP-sDEV]

Sounds good, will stay subscribed for updates.

[ekansa]

Just thinking about the 404/403 thing... Should we make this behavior something open to configuration?

There may be "Linked Data" scenarios where someone DOES want to acknowledge the existence of a resource, even if access permissions are not granted. In that situation, a user can learn they have to negotiate access permissions from some authority.

In other circumstances, I can see why some implementers may always want to hide the existence of something, but I don't think this is a universal need.