silentThrow

[fratzinger]

Throwing Forbidden maybe should not be exposed, so maybe it's a better idea to set context.result = [] or context.result = undefined;

[J3m5]

I'm not sure about this, I'd prefer to know why I don't get any result rather than just get an empty response.
And I don't think it can cause a security issue.
This is why the Forbidden error has been created for IMHO.

[fratzinger]

Thanks for your thoughts! :) If I will add it, I would make it totally optional.
For most apps, I'm on your side! But for big apps with open access the Forbidden error could open the door for hackers. As a hacker, if the forbidden is thrown, you know, that there's at least something you maybe want to investigate more.

[J3m5]

After reading the RFC 7231 Section 6.5.3, it seems totally acceptable.

A server that wishes to
make public why the request has been forbidden can describe that
reason in the response payload (if any).

An origin server that wishes to "hide" the current existence of a
forbidden target resource MAY instead respond with a status code of
404 (Not Found).

So yes, an option would be great ! 😉