ajrouvoet
commented
9 years ago This is not really a security issue as an api inconsistency, sometimes you'll get a 404, sometimes a 403 depending on the method used for permission checking (dynamic in database vs dynamic in python vs static)
A public user who tries to view a private announcement will get a 404. However if it tries to delete a private anouncement it will get served a 403 error (Forbidden) In that case it will know that there somehow is an announcement carrying that id.