Permissions: don't leak existence of IDs user doesn't have access to

[zachmullen]

Currently, users are allowed to query sets of folders and files based on a parent folder ID that they don't actually have access to. The response list is always empty, but that leaks whether the given folder ID exists or not. Example, if folder ID=3 exists but the user doesn't have read permission on it, calling /folders?parent=3 will give a 200 response with an empty result set, but if they query a nonexistent folder ID such as /folders?parent=777777, it tells them that the folder ID is invalid with response 400. Same for files.