Comment 4 for bug 1046964

The get operation for the API invokes check instead of enforce. If the check fails because the object has not access to the network, then the record is not added to the response list.

Implementing your strategy will imply that if all checks fail we should return a 403 error. Nevertheless, in this situation, it is likely that the tenant will not own any network - hence the list operation will simply return no results, and a 200 code will still be returned.

Another way of looking at this problem would be to say that the user should not have access to the resource as well, that is to say every time the /networks URI is accessed a 403 is returned.

I think this can be achieved by registering a check that looks at the resource you're accessing and fails the check if you don't have the credentials for accessing that resource. If you might like such approach I can prototype it for you.