note on security

app/controllers/application_controller.rb

@@ -23,6 +23,7 @@ class ApplicationController < ActionController::Base
   end
 
   def access_denied
+    # NOTE: For security reasons, consider using 404 when denied access to a read operation.
     render 'application/access_denied', status: :unauthorized
   end